Skip to content

[java] Refactor java class deserialization checks #3459

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
micrictor wants to merge 4 commits into
base: main
Choose a base branch
from
Open

[java] Refactor java class deserialization checks #3459

micrictor wants to merge 4 commits into from

Conversation

@micrictor
Copy link

@micrictor micrictor commented Aug 14, 2025

What is the purpose of the change

This PR refactors the Java class deserialization checks into a separate class and applies the security checks on all deserialization paths.

Verifying this change

This change added tests and can be verified as follows:

  • Added unit tests to validate that permitted classes are allowed to deserialized, and that unpermitted classes are not
  • Tests validate both SERIALIZABLE_PACKAGES and SERIALIZABLE_CLASSES

Documentation

No new features.

@github-actions github-actions bot added Java Pull Requests for Java binding build labels Aug 14, 2025
@martin-g
Copy link
Member

martin-g commented Oct 23, 2025

This might be obsolete now with #3525

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

build Java Pull Requests for Java binding

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@micrictor @martin-g