If there is a whitelist, and the class is not whitelisted, could it check to see if it is serialzable before it instruments it?

kantega / notsoserial

Java Agent which mitigates deserialisation attacks by making certain classes unserializable

Apache License 2.0

185 stars 33 forks source link

If there is a whitelist, and the class is not whitelisted, could it check to see if it is serialzable before it instruments it? #5

Closed cgoudie closed 9 years ago

cgoudie commented 9 years ago

https://github.com/kantega/notsoserial/blob/master/src/main/java/org/kantega/notsoserial/NotSoSerialClassFileTransformer.java#L175-L177

This looks like any class not in a whitelist will end up being instrumented. I worry about the overhead ramifications. Would it be possible to check to see if the class is Serializable as part of the shouldInstrument check?

cgoudie commented 9 years ago

I see that the additional check happens in https://github.com/kantega/notsoserial/blob/master/src/main/java/org/kantega/notsoserial/ReadObjectClassVisitor.java#L87 to prevent it from running, but by this point, hasn't code already been injected?

eboregelna commented 9 years ago

I don't think any code has been injected per se, but the bytecode coming out might not be exactly what went in. Especially if a system ends up with an old ASM and a new Java impl, or if there is just a bug in ASM.

cgoudie commented 9 years ago

I have to admit, I'm not very familiar with ClassFileTransformer. Is there enough information at this stage to determine if the class is Serializable so as to not instrument?