Subbu created KAFKA-20450:
-----------------------------
Summary: SafeObjectInputStream uses denylist based approach
Key: KAFKA-20450
URL: https://issues.apache.org/jira/browse/KAFKA-20450
Project: Kafka
Issue Type: Bug
Reporter: Subbu
File :
connect/runtime/src/main/java/org/apache/kafka/connect/util/SafeObjectInputStream.java
The current SafeObjectInputStream uses a denylist based approach - having a
fixed denylist to be validated against for deserialization. This is a bad
security practise and has also been mentioned in the original PR.
We need to use allowlisting as a better security practise.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
