https://github.com/thomasleplus/jep-290

Tests of JEP-290
https://github.com/thomasleplus/jep-290

Last synced: about 1 year ago
JSON representation

Tests of JEP-290

• Host: GitHub
• URL: https://github.com/thomasleplus/jep-290
• Owner: thomasleplus
• License: apache-2.0
• Created: 2020-11-17T15:41:55.000Z (over 5 years ago)
• Default Branch: main
• Last Pushed: 2025-04-08T21:58:26.000Z (about 1 year ago)
• Last Synced: 2025-04-08T22:31:45.972Z (about 1 year ago)
• Language: Java
• Size: 564 KB
• Stars: 4
• Watchers: 3
• Forks: 3
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE
  • Code of conduct: CODE_OF_CONDUCT.md
  • Security: SECURITY.md

Awesome Lists containing this project

README

          
# JEP-290

Tests of JEP-290

[![Maven](https://github.com/thomasleplus/JEP-290/workflows/Maven/badge.svg)](https://github.com/thomasleplus/JEP-290/actions?query=workflow:"Maven")

[![ShellCheck](https://github.com/thomasleplus/JEP-290/workflows/ShellCheck/badge.svg)](https://github.com/thomasleplus/JEP-290/actions?query=workflow:"ShellCheck")

[![CodeQL](https://github.com/thomasleplus/JEP-290/workflows/CodeQL/badge.svg)](https://github.com/thomasleplus/JEP-290/actions?query=workflow:"CodeQL")

## Build

To build this project, run the following command (Mac or Unix):

```

./build

```

This will build the java code and then 2 docker images:

- jep290/java: to test the filtering with a bare Java 8 VM.

- jep290/jboss: to test the filtering with in a JBoss WildFly 14 application server running on top of a Java 8 VM.

## Run

The test is configured with the following JDK serial filter: java.math.\*_;!_

This means that only classes in the java.math package are allowed to

be serialized.

To run the simple Java 17 test, simply do:

```

docker run jep290/java

```

You should see the following output:

```

Jan 1, 1970 0:00:00 AM sun.misc.ObjectInputFilter$Config lambda$static$0

INFO: Creating serialization filter from java.math.**;!*

Jan 1, 1970 0:00:00 AM java.io.ObjectInputStream filterCheck

FINER: ObjectInputFilter ALLOWED: class java.math.BigInteger, array length: -1, nRefs: 1, depth: 1, bytes: 125, ex: n/a

Jan 1, 1970 0:00:00 AM java.io.ObjectInputStream filterCheck

INFO: ObjectInputFilter REJECTED: class java.lang.Number, array length: -1, nRefs: 2, depth: 2, bytes: 156, ex: n/a

Exception in thread "main" java.io.InvalidClassException: filter status: REJECTED

        at java.io.ObjectInputStream.filterCheck(ObjectInputStream.java:1254)

        at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1877)

        at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1750)

        at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1884)

        at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1750)

        at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2041)

        at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1572)

        at java.io.ObjectInputStream.readObject(ObjectInputStream.java:430)

        at org.leplus.infosec.jep290.Demo.run(Demo.java:22)

        at org.leplus.infosec.jep290.Main.main(Main.java:12)

```

Here we can clearly see that the java.math.BigInteger class is allowed

to be serialized, but the java.lang.Number is being blocked, as it

should be given the filter that we have set.

To run the JBoss test, simply do:

```

docker run jep290/jboss

```