avro icon indicating copy to clipboard operation
avro copied to clipboard
verified publisher icon apache

[java] Refactor java class deserialization checks

Open micrictor opened this issue 5 months ago • 1 comments

What is the purpose of the change

This PR refactors the Java class deserialization checks into a separate class and applies the security checks on all deserialization paths.

Verifying this change

This change added tests and can be verified as follows:

  • Added unit tests to validate that permitted classes are allowed to deserialized, and that unpermitted classes are not
  • Tests validate both SERIALIZABLE_PACKAGES and SERIALIZABLE_CLASSES

Documentation

No new features.

micrictor avatar Aug 14 '25 14:08 micrictor

This might be obsolete now with https://github.com/apache/avro/pull/3525

martin-g avatar Oct 23 '25 10:10 martin-g