This is an automated email from the ASF dual-hosted git repository. robertlazarski pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-core.git
commit 4942caf40c067988d58ad3bc6e7edfbfbb44dadf Author: Robert Lazarski <[email protected]> AuthorDate: Mon Jun 1 10:25:48 2026 -1000 Clarify deserialization scan guidance: externalization is vestigial The SafeObjectInputStream and readExternal() methods on core context classes are vestigial from the removed clustering feature. No remaining untrusted input path exists. Guide the scanner to verify this claim rather than audit the whitelist itself. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> --- AGENTS.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/AGENTS.md b/AGENTS.md index 72472ae3a6..7f1442e69f 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -67,13 +67,21 @@ The clustering module was removed due to unvalidated `ObjectInputStream` deserialization on network input. Scan for any remaining paths where `ObjectInputStream.readObject()` processes data reachable from untrusted input, ensuring all network transports (HTTP, JMS, TCP, etc.) are -considered as sources. The known remaining use is `SafeObjectInputStream` -(whitelist-based) -in context externalization — verify the whitelist is complete and not -bypassable. +considered as sources. + +The remaining use of Java serialization is `SafeObjectInputStream` +(whitelist-based) in the context externalization code — `readExternal()` +methods on `MessageContext`, `OperationContext`, `ServiceContext`, +`SessionContext`, `Options`, `EndpointReference`, and related classes. +This externalization code is vestigial from the removed clustering +feature and has no remaining untrusted input path in current +deployments. Verify that no new code path feeds untrusted data into +these `readExternal()` methods. Key files: - `modules/kernel/src/org/apache/axis2/context/externalize/SafeObjectInputStream.java` +- `modules/kernel/src/org/apache/axis2/context/MessageContext.java` (readExternal) +- `modules/kernel/src/org/apache/axis2/util/ObjectStateUtils.java` ### 4. HTTP Transport Entry Points
