Java???л????????????????????в
???????????? ???????[ 2016/6/28 10:25:51 ] ??????????????????? Java
????Java???????????????????????????????????????????????????????????????- ala Heartbleed??Shellshock????POODLE——?????????????????????????????????????????м????????????????????ó?????????ζ??????????????????????????????????????????????в????????
????Contrast Security???????????????????????????????ó?????????????????????????????????????Contrast??IAST?????????e??????????????????????е?????Contrast????????RASP??????????????????????????????±?????????????????????????????????????????е???ó???????ó???????????????Contrast??????????÷???????????Java???????????
????????????????Java???л???????????????????????л???????????????????????????????洢???????????????????л????????????????????????????????л??????????????????——????????2010??????????????????????http://www.ibm.com/developerworks/library/se-lookahead??????????????Java???????????????——?????????????????????????????????
??????Щ???????????????????????????????????й???——?????????н??????л????????ó??????????
??????Java?У?????????л????ж?????BitSet???????
????ObjectInputStream in = new ObjectInputStream( inputStream );
????return (Data)in.readObject();
????????????????????????????????л??????????????????????????л??????????????????????????ó??????????readobject()??????????????Щ???棬???????XXE?????????????????????????XML????????????????????????????£???м???????????????????
??????????????????????????л??????????????????????????????????????????
????List<Class<?>> safeClasses = Arrays.asList( BitSet.class?? ArrayList.class );
??????????????????????????????????????л??????б?????Щδ?????????????????????????SecurityException??????????????????????????????????鰱??????????????????ObjectInputStream?????????
????????????????????????????readObjec
@SuppressWarnings("unchecked")
public static <T> T safeReadObject(Class<?> type?? List<Class<?>> safeClasses?? InputStream in ) throws IOException?? ClassNotFoundException {
return (T) new ObjectInputStream(in) {
protected Class<?> resolveClass(ObjectStreamClass d) throws IOException?? ClassNotFoundException {
Class<?> clazz = super.resolveClass(d);
if (clazz.isArray()
|| clazz.isPrimitive()
|| clazz.equals(type)
|| clazz.equals(String.class)
|| Number.class.isAssignableFrom(clazz)
|| safeClasses.contains(clazz)) return clazz;
throw new SecurityException("Attempt to deserialize unauthorized " + clazz);
}
}.readObject();
}
?????????????д??ObjectInPutStream?е?readClass()??????????????????κ?????????л?????????????????????????????????????????????С???????????????????????????????????????–??Щ?????????????????–????????????????????????????ν??“С????”???????ó??????·??????Ч???г????п???????·????
??????????????????????????????????ó??????????????????????????д???????——????????Contrast?????????????????????????????????????????????????????л????????ε???????????????
??????
???·???
??????????????????
2023/3/23 14:23:39???д?ò??????????
2023/3/22 16:17:39????????????????????Щ??
2022/6/14 16:14:27??????????????????????????
2021/10/18 15:37:44???????????????
2021/9/17 15:19:29???·???????·
2021/9/14 15:42:25?????????????
2021/5/28 17:25:47??????APP??????????
2021/5/8 17:01:11
sales@spasvo.com