[jira] [Commented] (SHIRO-808) security enhance

Tue, 16 Feb 2021 08:01:07 -0800 


    [ 
https://issues.apache.org/jira/browse/SHIRO-808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17285301#comment-17285301
 ] 

Brian Demers commented on SHIRO-808:
------------------------------------

Blocklists are not an effective mechanism for this type of attack.  The list of 
things to block is almost infinite, an allow list (or similar) would be more 
appropriate.  

Shiro's parsing of the object stream in question works against an encrypted 
stream of data, this is not a perfect solution (and there is no perfect 
security).

IIRC, the Jackson project used a block list in 2.10 and ended up with many 
problems (as that list continues to grow), and has been deprecated: 
[https://cowtowncoder.medium.com/jackson-2-11-features-40cdc1d2bdf3]

 

As mentioned above this isn't the best place to discuss (and disclose) 
potential security issues.  We are happy to keep talking about this on 
`[email protected]`

For more info see: https://www.apache.org/security/

 

> security enhance
> ----------------
>
>                 Key: SHIRO-808
>                 URL: https://issues.apache.org/jira/browse/SHIRO-808
>             Project: Shiro
>          Issue Type: Improvement
>          Components: RememberMe
>    Affects Versions: 1.7.0, 1.7.1
>            Reporter: k4n5hao
>            Priority: Minor
>
> in file:
> shiro/lang/src/main/java/org/apache/shiro/lang/io/ClassResolvingObjectInputStream.java
> we can find resolveClass funtion
>  
> if shiro block these class blow in resolveClass funtion, it can protect shiro 
> with Deserialize Vulnerability
> org.apache.commons.collections.functors.ChainedTransformer.transform
> org.apache.commons.collections.functors.InvokerTransformer
> org.apache.commons.collections.functors.InstantiateTransformer
> org.apache.commons.collections4.functors.InvokerTransformer
> org.apache.commons.collections4.functors.InstantiateTransformer
> org.codehaus.groovy.runtime.ConvertedClosure
> org.codehaus.groovy.runtime.MethodClosure
> org.springframework.beans.factory.ObjectFactory
> xalan.internal.xsltc.trax.TemplatesImpl
> org.apache.commons.beanutils.BeanComparator
>  
> link:[https://github.com/wh1t3p1g/ysomap/tree/master/core/src/main/java/ysomap/core/payload/java/collections]
>  
> i am not find new  discover a security-relevant issue.
> but if shiro block these class , it can help shiro block unkowning 
> Deserialize Vulnerability.
> thx



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to