Skip to content

Refactoring and cleanup#2733

Merged
riccardobl merged 5 commits into
jMonkeyEngine:masterfrom
riccardobl:hrd
May 1, 2026
Merged

Refactoring and cleanup#2733
riccardobl merged 5 commits into
jMonkeyEngine:masterfrom
riccardobl:hrd

Conversation

@riccardobl
Copy link
Copy Markdown
Member

@riccardobl riccardobl commented May 1, 2026

some refactoring and hardening

gemini-code-assist[bot]

This comment was marked as outdated.

Sign in to view

@riccardobl

This comment was marked as outdated.

Sign in to view
gemini-code-assist[bot]

This comment was marked as outdated.

Sign in to view

@riccardobl

This comment was marked as outdated.

Sign in to view
gemini-code-assist[bot]

This comment was marked as outdated.

Sign in to view

@riccardobl
Copy link
Copy Markdown
Member Author

riccardobl commented May 1, 2026

@gemini-code-assist review

gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request significantly hardens the engine against malicious assets and network messages by introducing several security layers. Key improvements include the implementation of a SavableClassFilter and a standalone J3OScanner utility to prevent unauthorized class instantiation from J3O files, as well as extensive bounds and size validation within the BinaryImporter and BinaryInputCapsule to mitigate buffer overflows and memory exhaustion. Additionally, XML loaders have been updated to use a new SecureXmlFactory that disables external entity resolution, and the networking layer now enforces maximum message sizes. Feedback suggests further hardening the binary importer by defining explicit upper bounds for class counts and data lengths to provide stronger protection against Denial of Service attacks via memory exhaustion.

Comment thread jme3-core/src/plugins/java/com/jme3/export/binary/BinaryImporter.java
Comment thread jme3-core/src/plugins/java/com/jme3/export/binary/BinaryImporter.java
@riccardobl riccardobl merged commit 115a825 into jMonkeyEngine:master May 1, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@riccardobl