Robert Lazarski created AXIS2-6107:
--------------------------------------
Summary: Remove vestigial context externalization code
(SafeObjectInputStream and readExternal)
Key: AXIS2-6107
URL: https://issues.apache.org/jira/browse/AXIS2-6107
Project: Axis2
Issue Type: Task
Reporter: Robert Lazarski
Assignee: Robert Lazarski
Fix For: 2.0.2
The SafeObjectInputStream, SafeObjectOutputStream, and the
readExternal()/writeExternal() implementations across 13+
kernel classes were built for the clustering feature, which was removed in
AXIS2-6097.
With clustering gone, no production code path feeds untrusted data into these
readExternal() methods. The
externalization code is dead weight that:
- Increases attack surface (Java deserialization, even whitelisted, is a
liability)
- Adds maintenance burden across core classes (MessageContext,
OperationContext, ServiceContext,
ServiceGroupContext, SessionContext, Options, EndpointReference, RelatesTo,
Parameter, ParameterIncludeImpl,
MetaDataEntry)
- Complicates security audits (the Glasswing scan will flag it)
Affected files (non-exhaustive):
- SafeObjectInputStream.java, SafeObjectOutputStream.java — delete entirely
- ObjectStateUtils.java — delete or gut
- MessageContext.java, OperationContext.java, ServiceContext.java,
ServiceGroupContext.java, SessionContext.java —
remove readExternal()/writeExternal() and Externalizable interface
- Options.java, EndpointReference.java, RelatesTo.java — same
- Parameter.java, ParameterIncludeImpl.java, MetaDataEntry.java — same
- ObjectSave2Test.java — remove or update
This is similar in scope to AXIS2-6097 (clustering removal) — a large but
mechanical change across many files.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
