|
|
|
|
|
|
by cogman10
270 days ago
|
|
|
Java object serialization can be super dangerous as it just works on any class that implements serializable. That means if the shape of your object is something like class Foo implements Serializable {
SerializableFunction bar;
void doBar() {
bar.apply();
}
}
You've created a class which an attacker can plug in any object which implements `SerializableFunction` into `bar`. That includes externally created functions!Here's an article detailing exactly how that works: https://www.baeldung.com/java-serialize-lambda |
|
|