diff --git a/en/contribute/OpenHarmony-Java-secure-coding-guide.md b/en/contribute/OpenHarmony-Java-secure-coding-guide.md index f61c28892897c2f5a66ac2762755c78ed6433af5..7a3adcd43041b99a863bffc7cfd8d1c58177db81 100644 --- a/en/contribute/OpenHarmony-Java-secure-coding-guide.md +++ b/en/contribute/OpenHarmony-Java-secure-coding-guide.md @@ -803,10 +803,10 @@ public class DeserializeExample implements Serializable { //Deserialize external data ObjectInputStream ois2= new ObjectInputStream(fis); - PersionInfo myPerson = (PersionInfo) ois2.readObject(); + PersonInfo myPerson = (PersonInfo) ois2.readObject(); ``` -In this noncompliant code example, when the object of the deserialization operation is the serialization result of the **DeserializeExample** object constructed by the attacker, an error will be reported when the `PersionInfo myPerson = (PersionInfo) ois2.readObject()` statement is executed, but the attack code in the `readObject()` method of the **DeserializeExample** object is executed. +In this noncompliant code example, when the object of the deserialization operation is the serialization result of the **DeserializeExample** object constructed by the attacker, an error will be reported when the `PersonInfo myPerson = (PersonInfo) ois2.readObject()` statement is executed, but the attack code in the `readObject()` method of the **DeserializeExample** object is executed. **\[Compliant Code Example]** (Trustlist Validation) @@ -822,7 +822,7 @@ public final class SecureObjectInputStream extends ObjectInputStream { protected Class resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException { - if (!desc.getName().equals("com.xxxx.PersionInfo")) {//Trustlist validation + if (!desc.getName().equals("com.xxxx.PersonInfo")) {//Trustlist validation throw new ClassNotFoundException(desc.getName() + " not find"); } return super.resolveClass(desc); @@ -870,7 +870,7 @@ public final class HWObjectInputStream extends ObjectInputStream { (3) Set a trustlist in the policy file. ``` -permission java.io.SerializablePermission "com.xxxx.PersionInfo"; +permission java.io.SerializablePermission "com.xxxx.PersonInfo"; ``` diff --git a/zh-cn/contribute/OpenHarmony-Java-secure-coding-guide.md b/zh-cn/contribute/OpenHarmony-Java-secure-coding-guide.md index f5aa62464925f42e3e9fe4ce883b6780162817e0..afeebd82dbf267a8070683ee931d42c74431444b 100644 --- a/zh-cn/contribute/OpenHarmony-Java-secure-coding-guide.md +++ b/zh-cn/contribute/OpenHarmony-Java-secure-coding-guide.md @@ -807,10 +807,10 @@ public class DeserializeExample implements Serializable { // 使用外部数据执行反序列化操作 ObjectInputStream ois2= new ObjectInputStream(fis); - PersionInfo myPerson = (PersionInfo) ois2.readObject(); + PersonInfo myPerson = (PersonInfo) ois2.readObject(); ``` -上面的示例中,当反序列化操作的对象是攻击者构造的DeserializeExample对象的序列化结果,当`PersionInfo myPerson = (PersionInfo) ois2.readObject()`该语句执行时会报错,但是DeserializeExample对象中的`readObject()`方法中的攻击代码已经被执行。 +上面的示例中,当反序列化操作的对象是攻击者构造的DeserializeExample对象的序列化结果,当`PersonInfo myPerson = (PersonInfo) ois2.readObject()`该语句执行时会报错,但是DeserializeExample对象中的`readObject()`方法中的攻击代码已经被执行。 **【正例】**(使用白名单校验) @@ -826,7 +826,7 @@ public final class SecureObjectInputStream extends ObjectInputStream { protected Class resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException { - if (!desc.getName().equals("com.xxxx.PersionInfo")) { // 白名单校验 + if (!desc.getName().equals("com.xxxx.PersonInfo")) { // 白名单校验 throw new ClassNotFoundException(desc.getName() + " not find"); } return super.resolveClass(desc); @@ -874,7 +874,7 @@ public final class HWObjectInputStream extends ObjectInputStream { (3) 在policy文件里设置白名单 ``` -permission java.io.SerializablePermission "com.xxxx.PersionInfo"; +permission java.io.SerializablePermission "com.xxxx.PersonInfo"; ``` @@ -910,7 +910,7 @@ permission java.io.SerializablePermission "com.xxxx.PersionInfo"; 实现:hibernate-validator 、Spring: - hibernate-validator 是 JSR 380(Bean Validation 2.0)、JSR 303(Bean Validation 1.0)规范的实现,同时扩展了注解:@Email、@Length、@NotEmpty、@Range等。 -- Spring validtor 同样实现了JSR 380和JSR 303,并提供了MethodValidationPostProcessor类,用于对方法的校验。 +- Spring validator 同样实现了JSR 380和JSR 303,并提供了MethodValidationPostProcessor类,用于对方法的校验。 产品可自主选择合适的校验框架,也可以自主开发实现外部数据校验。