kotlinx-datetime icon indicating copy to clipboard operation
kotlinx-datetime copied to clipboard

Published 20 hours ago verified publisher icon Kotlin

Defend against attempts to bypass JVM serial proxy

Open lukellmann opened this issue 7 months ago • 5 comments

lukellmann avatar Apr 26 '25 03:04 lukellmann

For 89fd8182e94bdde3453e2015b2e708a8d38bbc8a serialver now outputs this (LocalDate has a different serialVersionUID):

$ serialver -classpath .m2/repository/org/jetbrains/kotlinx/kotlinx-datetime-jvm/0.6.2-SNAPSHOT/kotlinx-datetime-jvm-0.6.2-SNAPSHOT.jar:kotlin-stdlib-2.1.20.jar kotlinx.datetime.LocalDate kotlinx.datetime.LocalDateTime kotlinx.datetime.LocalTime kotlinx.datetime.UtcOffset kotlinx.datetime.DateTimeArithmeticException kotlinx.datetime.IllegalTimeZoneException kotlinx.datetime.DateTimeFormatException kotlinx.datetime.internal.format.parser.ParseException
kotlinx.datetime.LocalDate:    private static final long serialVersionUID = -9141474295923275006L;
kotlinx.datetime.LocalDateTime:    private static final long serialVersionUID = -4261744960416354711L;
kotlinx.datetime.LocalTime:    private static final long serialVersionUID = -352249606036216323L;
kotlinx.datetime.UtcOffset:    private static final long serialVersionUID = -6636773355667981618L;
kotlinx.datetime.DateTimeArithmeticException:    private static final long serialVersionUID = -3207806170214997982L;
kotlinx.datetime.IllegalTimeZoneException:    private static final long serialVersionUID = 1159315966274264801L;
kotlinx.datetime.DateTimeFormatException:    private static final long serialVersionUID = 4231196759387994100L;
kotlinx.datetime.internal.format.parser.ParseException:    private static final long serialVersionUID = 5691186997393344103L;

I won't update it here though. The actual value doesn't matter, non-malicious serialization will not use it since it goes through kotlinx.datetime.Ser. It's just important that it stays stable for MaliciousJvmSerializationTest after this PR is merged, see https://github.com/Kotlin/kotlinx-datetime/pull/522#discussion_r2118502411.

lukellmann avatar Jun 01 '25 01:06 lukellmann

The actual value doesn't matter, non-malicious serialization will not use it since it goes through kotlinx.datetime.Ser. It's just important that it stays stable for MaliciousJvmSerializationTest after this PR is merged, see https://github.com/Kotlin/kotlinx-datetime/pull/522#discussion_r2118502411.

I've changed the serialVersionUID to 0L for the classes where the value doesn't matter.

lukellmann avatar Jun 03 '25 17:06 lukellmann

I've extracted the changes unrelated to bypassing the proxy into #533.

lukellmann avatar Jun 03 '25 18:06 lukellmann

This PR shouldn' t be merged until YearMonth is included here. I hope I can find some time for this in the next few days.

lukellmann avatar Jun 20 '25 17:06 lukellmann

Done.

lukellmann avatar Jun 21 '25 07:06 lukellmann

Thank you!

dkhalanskyjb avatar Jun 23 '25 11:06 dkhalanskyjb