- java.lang.Object
-
- io.github.pixee.security.UnwantedTypes
-
public final class UnwantedTypes extends java.lang.ObjectThis type is only intended to hold a list of types that we don't want to deserialize because they pose a security risk.
-
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static java.util.List<java.lang.String>dangerousClassNameTokens()Return aListof class names and parts of class names that represent unwanted types.static booleanisUnwanted(java.lang.String className)Return true if the given class name is a known unwanted type.
-
-
-
Method Detail
-
dangerousClassNameTokens
public static java.util.List<java.lang.String> dangerousClassNameTokens()
Return aListof class names and parts of class names that represent unwanted types. These types are generally undesirable to deserialize or introspect/execute from unknown sources. This list represents publicly known types but future research could uncover new types that are dangerous.To use this list effectively, you should see if any of these tokens are in the type name you are considering interacting with. For example, this code is wrong and dangerous:
While this code isString className = userRequest.getType(); if(UnwantedTypes.allTokens().contains(className)) { // wrong! doSomethingWith(className); }
If you just want to check if a class name is potentially unsafe, useString className = userRequest.getType(); if(UnwantedTypes.allTokens().noneMatch(c -> className.contains(c))) { // right doSomethingWith(className); }isUnwanted(String)instead.- Returns:
- a
Listof dangerous types to avoid deserializing
-
isUnwanted
public static boolean isUnwanted(java.lang.String className)
Return true if the given class name is a known unwanted type. Note that this will return true even for classes that have been shaded into another package.- Parameters:
className- a fully qualified class name to check- Returns:
- true if the given class name is a known unwanted type, false otherwise
-
-