{"id":18827214,"url":"https://github.com/thomasleplus/jep-290","last_synced_at":"2025-04-14T02:10:27.382Z","repository":{"id":38040190,"uuid":"313665595","full_name":"thomasleplus/JEP-290","owner":"thomasleplus","description":"Tests of JEP-290","archived":false,"fork":false,"pushed_at":"2025-04-08T21:58:26.000Z","size":578,"stargazers_count":4,"open_issues_count":0,"forks_count":3,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-04-08T22:31:45.972Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/thomasleplus.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-11-17T15:41:55.000Z","updated_at":"2025-04-08T21:58:30.000Z","dependencies_parsed_at":"2023-02-16T14:45:57.042Z","dependency_job_id":"340c5393-8d20-4069-b2d7-47fd558f6dfa","html_url":"https://github.com/thomasleplus/JEP-290","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thomasleplus%2FJEP-290","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thomasleplus%2FJEP-290/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thomasleplus%2FJEP-290/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thomasleplus%2FJEP-290/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/thomasleplus","download_url":"https://codeload.github.com/thomasleplus/JEP-290/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248809046,"owners_count":21164896,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T01:13:20.390Z","updated_at":"2025-04-14T02:10:27.353Z","avatar_url":"https://github.com/thomasleplus.png","language":"Java","readme":"# JEP-290\n\nTests of JEP-290\n\n[![Maven](https://github.com/thomasleplus/JEP-290/workflows/Maven/badge.svg)](https://github.com/thomasleplus/JEP-290/actions?query=workflow:\"Maven\")\n[![ShellCheck](https://github.com/thomasleplus/JEP-290/workflows/ShellCheck/badge.svg)](https://github.com/thomasleplus/JEP-290/actions?query=workflow:\"ShellCheck\")\n[![CodeQL](https://github.com/thomasleplus/JEP-290/workflows/CodeQL/badge.svg)](https://github.com/thomasleplus/JEP-290/actions?query=workflow:\"CodeQL\")\n\n## Build\n\nTo build this project, run the following command (Mac or Unix):\n\n```\n./build\n```\n\nThis will build the java code and then 2 docker images:\n\n- jep290/java: to test the filtering with a bare Java 8 VM.\n- jep290/jboss: to test the filtering with in a JBoss WildFly 14 application server running on top of a Java 8 VM.\n\n## Run\n\nThe test is configured with the following JDK serial filter: java.math.\\*_;!_\n\nThis means that only classes in the java.math package are allowed to\nbe serialized.\n\nTo run the simple Java 17 test, simply do:\n\n```\ndocker run jep290/java\n```\n\nYou should see the following output:\n\n```\nJan 1, 1970 0:00:00 AM sun.misc.ObjectInputFilter$Config lambda$static$0\nINFO: Creating serialization filter from java.math.**;!*\nJan 1, 1970 0:00:00 AM java.io.ObjectInputStream filterCheck\nFINER: ObjectInputFilter ALLOWED: class java.math.BigInteger, array length: -1, nRefs: 1, depth: 1, bytes: 125, ex: n/a\nJan 1, 1970 0:00:00 AM java.io.ObjectInputStream filterCheck\nINFO: ObjectInputFilter REJECTED: class java.lang.Number, array length: -1, nRefs: 2, depth: 2, bytes: 156, ex: n/a\nException in thread \"main\" java.io.InvalidClassException: filter status: REJECTED\n        at java.io.ObjectInputStream.filterCheck(ObjectInputStream.java:1254)\n        at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1877)\n        at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1750)\n        at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1884)\n        at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1750)\n        at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2041)\n        at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1572)\n        at java.io.ObjectInputStream.readObject(ObjectInputStream.java:430)\n        at org.leplus.infosec.jep290.Demo.run(Demo.java:22)\n        at org.leplus.infosec.jep290.Main.main(Main.java:12)\n```\n\nHere we can clearly see that the java.math.BigInteger class is allowed\nto be serialized, but the java.lang.Number is being blocked, as it\nshould be given the filter that we have set.\n\nTo run the JBoss test, simply do:\n\n```\ndocker run jep290/jboss\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthomasleplus%2Fjep-290","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthomasleplus%2Fjep-290","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthomasleplus%2Fjep-290/lists"}