Commit 001171f
committed
Harden deserialization in HttpRestartServer
While remote code execution is a feature of remote DevTools,
hardening of the deserialization of ClassLoaderFiles is not without
benefit. Not least, it should prevent false-positive reports from
AI-based security scanners that look at the code in isolation without
understanding the full context of the feature.
It should be noted that this hardening in no way protects against
remote code execution and the use of remote DevTools remains an
opt-in feature that should only be enabled in a trusted setting and
secured with a sufficiently complex secret. It remains the case that
an attacker who compromises the secret and has network access to the
remote application can achieve RCE by uploading a serialized
ClassLoaderFiles payload that adds malicious code and/or resources
to the application.
Closes gh-502721 parent 03eb75f commit 001171f
2 files changed
Lines changed: 49 additions & 1 deletion
File tree
- spring-boot-project/spring-boot-devtools/src
- main/java/org/springframework/boot/devtools/restart/server
- test/java/org/springframework/boot/devtools/restart/server
Lines changed: 31 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
17 | 17 | | |
18 | 18 | | |
19 | 19 | | |
| 20 | + | |
20 | 21 | | |
| 22 | + | |
| 23 | + | |
21 | 24 | | |
22 | 25 | | |
23 | 26 | | |
24 | 27 | | |
| 28 | + | |
25 | 29 | | |
| 30 | + | |
26 | 31 | | |
27 | 32 | | |
28 | 33 | | |
| |||
40 | 45 | | |
41 | 46 | | |
42 | 47 | | |
| 48 | + | |
| 49 | + | |
43 | 50 | | |
44 | 51 | | |
45 | 52 | | |
| |||
71 | 78 | | |
72 | 79 | | |
73 | 80 | | |
| 81 | + | |
74 | 82 | | |
75 | 83 | | |
76 | 84 | | |
77 | 85 | | |
78 | 86 | | |
79 | 87 | | |
80 | | - | |
| 88 | + | |
81 | 89 | | |
82 | 90 | | |
83 | 91 | | |
84 | 92 | | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
| 101 | + | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
| 106 | + | |
| 107 | + | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
| 111 | + | |
| 112 | + | |
| 113 | + | |
| 114 | + | |
85 | 115 | | |
Lines changed: 18 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
18 | 18 | | |
19 | 19 | | |
20 | 20 | | |
| 21 | + | |
21 | 22 | | |
| 23 | + | |
22 | 24 | | |
23 | 25 | | |
24 | 26 | | |
| |||
29 | 31 | | |
30 | 32 | | |
31 | 33 | | |
| 34 | + | |
| 35 | + | |
32 | 36 | | |
33 | 37 | | |
34 | 38 | | |
| |||
104 | 108 | | |
105 | 109 | | |
106 | 110 | | |
| 111 | + | |
| 112 | + | |
| 113 | + | |
| 114 | + | |
| 115 | + | |
| 116 | + | |
| 117 | + | |
| 118 | + | |
| 119 | + | |
| 120 | + | |
| 121 | + | |
| 122 | + | |
| 123 | + | |
| 124 | + | |
107 | 125 | | |
108 | 126 | | |
109 | 127 | | |
| |||
0 commit comments