From a0ea9ed56d99cb9bbe4cc4c38051c30713cfc7fd Mon Sep 17 00:00:00 2001 From: evenliu Date: Fri, 28 Jul 2023 11:53:07 +0800 Subject: [PATCH] update security (#1354) * update security * update security --------- Co-authored-by: liujianjun.ljj --- SECURITY.md | 10 ++++++++++ .../main/resources/sofa-rpc/serialize_blacklist.txt | 1 + 2 files changed, 11 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 137842035..08e44628b 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -7,3 +7,13 @@ If you have apprehensions regarding SOFAStack's security or you discover vulnera In the mail, specify the description of the issue or potential threat. You are also urged to recommend the way to reproduce and replicate the issue. The SOFAStack community will get back to you after assessing and analysing the findings. PLEASE PAY ATTENTION to report the security issue on the security email before disclosing it on public domain. + +## Solution + +SOFARPC uses Hessian serialization by default. Hessian is a binary serialization protocol. For more information, please refer to Hessian's [documentation](https://github.com/sofastack/sofa-hessian). + +Because of the implement of Hessian, by constructing a specific serialization stream, it may cause arbitrary code execution when doing deserialization. It is recommended that users configure blacklist to solve the problem. + +SOFARPC also provides a way to configure blacklists in `BlackListFileLoader`, you can override the blacklist configuration based on the code. + +The blacklist built into the project comes from internal practices and external contributions, and is for reference only and is not actively updated, we do not assume any legal responsibility for this. \ No newline at end of file diff --git a/codec/codec-sofa-hessian/src/main/resources/sofa-rpc/serialize_blacklist.txt b/codec/codec-sofa-hessian/src/main/resources/sofa-rpc/serialize_blacklist.txt index bbf1c7e1c..754494cd5 100644 --- a/codec/codec-sofa-hessian/src/main/resources/sofa-rpc/serialize_blacklist.txt +++ b/codec/codec-sofa-hessian/src/main/resources/sofa-rpc/serialize_blacklist.txt @@ -24,6 +24,7 @@ javax.naming.InitialContext javax.naming.spi.ObjectFactory javax.script.ScriptEngineManager javax.sound.sampled.AudioFormat$Encoding +javax.sound.sampled.AudioFileFormat org.apache.carbondata.core.scan.expression.ExpressionResult org.apache.commons.dbcp.datasources.SharedPoolDataSource org.apache.ibatis.executor.loader.AbstractSerialStateHolder