[jira] [Comment Edited] (LANG-1734) Deprecate/replace SerializationUtils.deserialize

Mon, 15 Dec 2025 07:15:08 -0800 


    [ 
https://issues.apache.org/jira/browse/LANG-1734?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17848238#comment-17848238
 ] 

Gary D. Gregory edited comment on LANG-1734 at 12/15/25 3:14 PM:
-----------------------------------------------------------------

-I agree we can deprecate.-

I would like to see a follow up ticket to document deprecation in favor of ... 
what. If it's only documentation, that's OK with me. Serialization proxies a la 
Effective Java for example.

Adding an allow list might not be worth it, due to bugs in user configurations 
and the sense of false security. Needs discussion.


was (Author: garydgregory):
I agree we can deprecate.

I would like to see a follow up ticket to document deprecation in favor of ... 
what. If it's only documentation, that's OK with me. Serialization proxies a la 
Effective Java for example.

Adding an allow list might not be worth it, due to bugs in user configurations 
and the sense of false security. Needs discussion.

> Deprecate/replace SerializationUtils.deserialize
> ------------------------------------------------
>
>                 Key: LANG-1734
>                 URL: https://issues.apache.org/jira/browse/LANG-1734
>             Project: Commons Lang
>          Issue Type: Task
>          Components: lang.*
>            Reporter: Arnout Engelen
>            Priority: Minor
>             Fix For: 3.20.1
>
>
> SerializationUtils.deserialize should never be used with untrusted input: it 
> is generally not possible to prove the absence of classes on the classpath 
> that can be used as 'gadgets' for deserialization attacks.
> When SerializationUtils.deserialize was introduced, Java serialization was 
> still 'in vogue' and the JDK APIs for deserialization were awkward to use. 
> Nowadays, other serialization mechanisms (and serialization proxies) are more 
> popular, and the Java APIs have gotten much better, so there isn't much 
> reason for "SerializationUtils.deserialize" anymore.
> For these reasons, it might be good to deprecate 
> SerializationUtils.deserialize, or at least more clearly mark it as not 
> suitable to be used with untrusted input. We might also want to replace it 
> with variants that encourage allow/denylisting or other security filters, or 
> recommend 
> [https://docs.oracle.com/en/java/javase/11/core/serialization-filtering1.html]
>  for that.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to