github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-20 16:24:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

ensured deserialization is secure

Browse Source
This commit is contained in:
Jeremy Long
2016-03-04 17:38:48 -05:00
parent f752285912
commit 7860d635a9
4 changed files with 215 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
View File

@@ -49,6 +49,7 @@ import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Identifier;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.reporting.ReportGenerator;
import org.owasp.dependencycheck.utils.ExpectedOjectInputStream;
import org.owasp.dependencycheck.utils.Settings;
import org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher;
import org.sonatype.plexus.components.sec.dispatcher.SecDispatcher;
@@ -1035,9 +1036,26 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
}
List<Dependency> ret = null;
final String path = (String) oPath;
ObjectInputStream ois = null;
//ObjectInputStream ois = null;
ExpectedOjectInputStream ois = null;
try {
ois = new ObjectInputStream(new FileInputStream(path));
//ois = new ObjectInputStream(new FileInputStream(path));
ois = new ExpectedOjectInputStream(new FileInputStream(path),
"java.util.ArrayList",
"java.util.HashSet",
"java.util.TreeSet",
"java.lang.AbstractSet",
"java.lang.AbstractCollection",
"java.lang.Enum",
"org.owasp.dependencycheck.dependency.Confidence",
"org.owasp.dependencycheck.dependency.Dependency",
"org.owasp.dependencycheck.dependency.Evidence",
"org.owasp.dependencycheck.dependency.EvidenceCollection",
"org.owasp.dependencycheck.dependency.Identifier",
"org.owasp.dependencycheck.dependency.Reference",
"org.owasp.dependencycheck.dependency.Vulnerability",
"org.owasp.dependencycheck.dependency.VulnerabilityComparator",
"org.owasp.dependencycheck.dependency.VulnerableSoftware");
ret = (List<Dependency>) ois.readObject();
} catch (FileNotFoundException ex) {
//TODO fix logging