From 3811cd4c0a0be3aac6e842cf1890610ce986449d Mon Sep 17 00:00:00 2001 From: Sam Brannen Date: Tue, 29 Mar 2022 15:22:30 +0200 Subject: [PATCH] Introduce warnings in documentation of SerializationUtils Closes gh-28246 --- .../util/SerializationUtils.java | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/spring-core/src/main/java/org/springframework/util/SerializationUtils.java b/spring-core/src/main/java/org/springframework/util/SerializationUtils.java index 1f15a163f0e3..28507cd42633 100644 --- a/spring-core/src/main/java/org/springframework/util/SerializationUtils.java +++ b/spring-core/src/main/java/org/springframework/util/SerializationUtils.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -25,9 +25,18 @@ import org.springframework.lang.Nullable; /** - * Static utilities for serialization and deserialization. + * Static utilities for serialization and deserialization using + * Java Object Serialization. + * + *

WARNING: These utilities should be used with caution. See + * Secure Coding Guidelines for the Java Programming Language + * for details. * * @author Dave Syer + * @author Loïc Ledoyen + * @author Sam Brannen * @since 3.0.5 */ public abstract class SerializationUtils { @@ -55,6 +64,12 @@ public static byte[] serialize(@Nullable Object object) { /** * Deserialize the byte array into an object. + *

WARNING: This utility will be deprecated in Spring + * Framework 6.0 since it uses Java Object Serialization, which allows arbitrary + * code to be run and is known for being the source of many Remote Code Execution + * (RCE) vulnerabilities. Prefer the use of an external tool (that serializes + * to JSON, XML, or any other format) which is regularly checked and updated + * for not allowing RCE. * @param bytes a serialized object * @return the result of deserializing the bytes */