fili icon indicating copy to clipboard operation
fili copied to clipboard
verified publisher icon yahoo

Unsafe JSON Deserialization

Open QiAnXinCodeSafe opened this issue 5 years ago • 0 comments

https://github.com/yahoo/fili/blob/97e9e9b5bcd48a2646e28b0eeb9e543a603c1ead/fili-core/src/main/java/com/yahoo/bard/webservice/web/endpoints/DimensionCacheLoaderServlet.java#L95

https://github.com/yahoo/fili/blob/97e9e9b5bcd48a2646e28b0eeb9e543a603c1ead/fili-core/src/main/java/com/yahoo/bard/webservice/web/endpoints/DimensionCacheLoaderServlet.java#L108

Json serialization libraries which turn object graphs into Json formatted data may include the necessary metadata to reconstruct the objects back from the Json stream. If attackers can specify the classes of the objects to be reconstructed and are able to force the application to run arbitrary setters with user-controlled data, they may be able to execute arbitrary code during the deserialization of the Json stream.

QiAnXinCodeSafe avatar Mar 05 '20 03:03 QiAnXinCodeSafe