ikkisoft / SerialKiller

Look-Ahead Java Deserialization Library
Other
405 stars 68 forks source link

Include Blacklist in Library #15

Open ettisan opened 6 years ago

ettisan commented 6 years ago

Though the blacklist is in the Git repo it is not included in the release JARs. Right now, a project that wants to include SerialKiller has to:

This is problematic since when the blacklist in the git repo is changed to include more vulnerable classes they are most likely not transferred to the config file.

I think it would therefore be better to include the blacklist into the JARs. By default the blacklist should be applied to all SerialKiller instances. This way, when the blacklist changes only the Jar has to be updated - the custom configuration file does not have to be modified.

I'm willing to implement this. Please give me a heads up as if you would want to accept such a pull request.

ikkisoft commented 6 years ago

Including the config in the jar is definitely a good suggestion to make sure that people relying on blacklisting use the latest version. Having said that, I didn't include the config because I would like to incentive the use of whitelisting instead.

I think it would make sense to have a default secure config included, and allow easy customization. I would be happy to accept and merge a PR. Still need to clean some stuff on master - I plan to use the Christmas break for that.