Arnout Engelen created LANG-1734:
------------------------------------
Summary: Deprecate/replace SerializationUtils.deserialize
Key: LANG-1734
URL: https://issues.apache.org/jira/browse/LANG-1734
Project: Commons Lang
Issue Type: Task
Components: lang.*
Reporter: Arnout Engelen
SerializationUtils.deserialize should never be used with untrusted input: it is
generally not possible to prove the absence of classes on the classpath that
can be used as 'gadgets' for deserialization attacks.
When SerializationUtils.deserialize was introduced, Java serialization was
still 'in vogue' and the JDK APIs for deserialization were awkward to use.
Nowadays, other serialization mechanisms (and serialization proxies) are more
popular, and the Java APIs have gotten much better, so there isn't much reason
for "SerializationUtils.deserialize" anymore.
For these reasons, it might be good to deprecate
SerializationUtils.deserialize, or at least more clearly mark it as not
suitable to be used with untrusted input. We might also want to replace it with
variants that encourage allow/denylisting or other security filters, or
recommend
[https://docs.oracle.com/en/java/javase/11/core/serialization-filtering1.html]
for that.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
