Skip to content

Commit 1f6790b

Browse files
mp911demp911de
committed
DATAREDIS-780 - Update guidelines for serialization usage.
1 parent 4683451 commit 1f6790b

File tree

1 file changed

+10
-1
lines changed

1 file changed

+10
-1
lines changed

src/main/asciidoc/reference/redis.adoc

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -353,7 +353,16 @@ However one can use `OxmSerializer` for Object/XML mapping through Spring http:/
353353

354354
Do note that the storage format is not limited only to values - it can be used for keys, values or hashes without any restrictions.
355355

356-
WARNING: `RedisCache` and `RedisTemplate` are configured by default to use Java native serialization. Java native serialization is known for allowing remote code execution caused by payloads that exploit vulnerable libraries and classes injecting unverified bytecode. You might want to consider other serialization mechanisms such as JSON or XML to prevent flaws. Alternatively, use a customized `ObjectInputStream` whitelisting classes you trust to be deserialized properly. See also https://www.owasp.org/index.php/Deserialization_of_untrusted_data[OWASP: Deserialization of untrusted data].
356+
[WARNING]
357+
====
358+
`RedisCache` and `RedisTemplate` are configured by default to use Java native serialization. Java native serialization is known for allowing remote code execution caused by payloads that exploit vulnerable libraries and classes injecting unverified bytecode. Manipulated input could lead to unwanted code execution in the application during the deserialization step. As a consequence, do not use serialization in untrusted environments. In general, we strongly recommend any other message format (e.g. JSON) instead.
359+
360+
If you are concerned about security vulnerabilities due to Java serialization, consider the general-purpose serialization filter mechanism at the core JVM level, originally developed for JDK 9 but backported to JDK 8, 7 and 6 in the meantime:
361+
362+
* https://blogs.oracle.com/java-platform-group/entry/incoming_filter_serialization_data_a[Filter Incoming Serialization Data].
363+
* http://openjdk.java.net/jeps/290[JEP 290].
364+
* https://www.owasp.org/index.php/Deserialization_of_untrusted_data[OWASP: Deserialization of untrusted data].
365+
====
357366

358367
[[redis.hashmappers.root]]
359368
== Hash mapping

0 commit comments

Comments
 (0)