Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change DefaultExecutionContextSerializer to produce Base64 #4122

Closed
fmbenhassine opened this issue Jun 7, 2022 · 0 comments
Closed

Change DefaultExecutionContextSerializer to produce Base64 #4122

fmbenhassine opened this issue Jun 7, 2022 · 0 comments
Labels
in: core type: task
Milestone
5.0.0-M8

Comments

@fmbenhassine
Copy link
Contributor

fmbenhassine commented Jun 7, 2022
edited

The DefaultExecutionContextSerializer uses DefaultSerializer and DefaultDeserializer from Spring Framework which are both based on Java's built-in object serialization/deserialization mechanisms. Java's object serialization is known to be vulnerable and its usage in SF will be deprecated in v6. Here is an excerpt from SerializationUtils javadocs:

This utility will be deprecated in Spring Framework 6.0 since it uses Java Object Serialization, which allows
arbitrary code to be run and is known for being the source of many Remote Code Execution (RCE) vulnerabilities.
Prefer the use of an external tool (that serializes to JSON, XML, or any other format) which is regularly
checked and updated for not allowing RCE.

The default serializer should be updated to produce/consume Base64 content.

Related resources:
@fmbenhassine fmbenhassine added this to the 5.0.0-M4 milestone Jun 7, 2022
@fmbenhassine fmbenhassine modified the milestones: 5.0.0-M4, 5.0.0-M5 Jul 20, 2022
@fmbenhassine fmbenhassine modified the milestones: 5.0.0-M5, 5.0.0-M6 Aug 24, 2022
@fmbenhassine fmbenhassine modified the milestones: 5.0.0-M6, 5.0.0-M7 Sep 21, 2022
@fmbenhassine fmbenhassine modified the milestones: 5.0.0-M7, 5.0.0-M8 Oct 4, 2022
@fmbenhassine fmbenhassine changed the title Deprecate DefaultExecutionContextSerializer Change DefaultExecutionContextSerializer to produce Base64 Oct 10, 2022
@benelog benelog mentioned this issue Dec 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: core type: task
Projects
None yet
Milestone
5.0.0-M8
Development

No branches or pull requests
1 participant
@fmbenhassine