|
|
|
|
|
|
by jiggawatts
1037 days ago
|
|
|
> I am not sure what can the serialization framework possibly _do_ to make things secure during the serialization Loads of things! A strict specification that can only be interpreted one way goes very far. E.g.: a machine-readable BNF grammar file or something similar with no ambiguities. A conformance test suite covering corner-cases is surprisingly effective, even with a supposedly perfect spec. "Be strict with what you generate and lax with what you accept" has been demonstrated over and over again to be a disaster over the long-term in an ecosystem of many groups. Be strict always with what is accepted, not just generated! Speaking of being strict: schema validation is essential. Strong typing for scalars helps a lot. The actual implementations of the spec can obviously have a wide range of security features. Never allowing arbitrary type instantiation is critical, yet is a mistake that keeps reoccurring much like SQL injection. Etc, etc... |
|
|
>> Loads of things!
>> A strict specification that can only be interpreted one way goes very far. E.g.: a machine-readable BNF grammar file or something similar with no ambiguities.
once again, that is not the domain of the serialization framework ! it is a policy which needs to be established and enforced at input / output layer by the entity which implements it.
a serialization framework should just serialize and deserialize objects to / from an i/o 'channel' f.e. file, network, etc. shackling it with specification / enforcement of security etc. policies seems conflating one concern with another.