diff options
| author | Fabian Meumertzheim <meumertzheim@code-intelligence.com> | 2021-07-22 12:46:20 +0200 |
|---|---|---|
| committer | Fabian Meumertzheim <fabian@meumertzhe.im> | 2021-07-22 12:58:38 +0200 |
| commit | 837fbb9fa102870b34145f9fd300d2abde9e78d0 (patch) | |
| tree | 66f765a7c580f113cc4c9ad58468ce2f3c9e6937 /sanitizers | |
| parent | 4bb5f05eff30e3a55a407d2e8b3c2e0a04583e7b (diff) | |
| download | jazzer-api-837fbb9fa102870b34145f9fd300d2abde9e78d0.tar.gz | |
Report custom readObject calls directly instead of through finalize
Diffstat (limited to 'sanitizers')
| -rw-r--r-- | sanitizers/src/main/java/jaz/Zer.java | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/sanitizers/src/main/java/jaz/Zer.java b/sanitizers/src/main/java/jaz/Zer.java index 05e8d608..0b27609c 100644 --- a/sanitizers/src/main/java/jaz/Zer.java +++ b/sanitizers/src/main/java/jaz/Zer.java @@ -14,8 +14,11 @@ package jaz; +import com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh; import com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium; import com.code_intelligence.jazzer.api.Jazzer; +import java.io.IOException; +import java.io.ObjectInputStream; /** * A honeypot class that reports an appropriate finding on any interaction with one of its methods @@ -94,4 +97,11 @@ public class Zer implements java.io.Serializable { Jazzer.reportFindingFromHook(staticInitializerCause); super.finalize(); } + + private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException { + Jazzer.reportFindingFromHook(new FuzzerSecurityIssueHigh("Remote Code Execution\n" + + " Deserialization of arbitrary classes with custom readObject may allow remote\n" + + " code execution depending on the classpath.")); + in.defaultReadObject(); + } } |