8 lines
577 B
Plaintext
8 lines
577 B
Plaintext
During the deserialization process, the state of an object will be reconstructed from the serialized data stream which can contain dangerous operations.
|
|
|
|
|
|
To restrict the types allowed to be deserialized:
|
|
|
|
* by implementing an "allow-list" of types, but keep in mind that novel dangerous types are regularly discovered and this protection could be insufficient over time.
|
|
* or/and implementing a tamper protection, such as https://en.wikipedia.org/wiki/HMAC[message authentication codes] (MAC). This way only objects serialized with the correct MAC hash will be deserialized.
|