This is an automated email from the ASF dual-hosted git repository. robertlazarski pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-core.git
commit 907725c2c7e163f29def4cd0a4759082b0b392cf Author: Robert Lazarski <[email protected]> AuthorDate: Mon Jun 1 09:59:16 2026 -1000 Widen deserialization scan scope to all transports Explicitly guide the scanner to trace ObjectInputStream.readObject() from all network transports (HTTP, JMS, TCP, etc.), not just HTTP. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> --- AGENTS.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/AGENTS.md b/AGENTS.md index 318272d018..13671d706b 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -66,7 +66,9 @@ Key files: The clustering module was removed due to unvalidated `ObjectInputStream` deserialization on network input. Scan for any remaining paths where `ObjectInputStream.readObject()` processes data reachable from untrusted -input. The known remaining use is `SafeObjectInputStream` (whitelist-based) +input, ensuring all network transports (HTTP, JMS, TCP, etc.) are +considered as sources. The known remaining use is `SafeObjectInputStream` +(whitelist-based) in context externalization — verify the whitelist is complete and not bypassable.
