Skip to content

fix: remediate insecure object deserialization in BlobUtils [ACT-2842]#181

Open
ethan ozelius (ethan-ozelius-contentful) wants to merge 2 commits into
masterfrom
act-2842
Open

fix: remediate insecure object deserialization in BlobUtils [ACT-2842]#181
ethan ozelius (ethan-ozelius-contentful) wants to merge 2 commits into
masterfrom
act-2842

Conversation

@ethan-ozelius-contentful

@ethan-ozelius-contentful ethan ozelius (ethan-ozelius-contentful) commented Jun 30, 2026

Copy link
Copy Markdown

Summary

  • Root cause: BlobUtils.fromBlob used ObjectInputStream.readObject() without restricting which classes could be deserialized, enabling gadget-chain RCE if an attacker could influence blob
    data (Wiz finding WS-I013-JAVA-00051, HIGH)
  • Fix: Override resolveClass with an allowlist of permitted types (HashMap, LinkedHashMap, ArrayList, and standard primitives) — any unexpected class throws InvalidClassException before
    instantiation
  • Defense-in-depth: Added validateBlobInput to reject null, empty, oversized (>1MB), and malformed (non-0xACED header) blobs before ObjectInputStream is ever opened
  • Tests: Added BlobUtilsTest covering round-trip happy paths, malicious class rejection, and all four input validation guards

@ethan-ozelius-contentful ethan ozelius (ethan-ozelius-contentful) changed the title do not merge allow-list stream reading [ACT-2842] Jun 30, 2026
@ethan-ozelius-contentful ethan ozelius (ethan-ozelius-contentful) changed the title allow-list stream reading [ACT-2842] fix: remediate insecure object deserialization in BlobUtils [ACT-2842] Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant