未验证 提交 81930e9e 编写于 作者: O openharmony_ci 提交者: Gitee

!4430 【OpenHarmony开源贡献者计划2022】fix: fix Persion typo

Merge pull request !4430 from rtos_ming/PersionInfo
...@@ -803,10 +803,10 @@ public class DeserializeExample implements Serializable { ...@@ -803,10 +803,10 @@ public class DeserializeExample implements Serializable {
//Deserialize external data //Deserialize external data
ObjectInputStream ois2= new ObjectInputStream(fis); ObjectInputStream ois2= new ObjectInputStream(fis);
PersionInfo myPerson = (PersionInfo) ois2.readObject(); PersonInfo myPerson = (PersonInfo) ois2.readObject();
``` ```
In this noncompliant code example, when the object of the deserialization operation is the serialization result of the **DeserializeExample** object constructed by the attacker, an error will be reported when the `PersionInfo myPerson = (PersionInfo) ois2.readObject()` statement is executed, but the attack code in the `readObject()` method of the **DeserializeExample** object is executed. In this noncompliant code example, when the object of the deserialization operation is the serialization result of the **DeserializeExample** object constructed by the attacker, an error will be reported when the `PersonInfo myPerson = (PersonInfo) ois2.readObject()` statement is executed, but the attack code in the `readObject()` method of the **DeserializeExample** object is executed.
**\[Compliant Code Example]** (Trustlist Validation) **\[Compliant Code Example]** (Trustlist Validation)
...@@ -822,7 +822,7 @@ public final class SecureObjectInputStream extends ObjectInputStream { ...@@ -822,7 +822,7 @@ public final class SecureObjectInputStream extends ObjectInputStream {
protected Class<?> resolveClass(ObjectStreamClass desc) protected Class<?> resolveClass(ObjectStreamClass desc)
throws IOException, ClassNotFoundException { throws IOException, ClassNotFoundException {
if (!desc.getName().equals("com.xxxx.PersionInfo")) {//Trustlist validation if (!desc.getName().equals("com.xxxx.PersonInfo")) {//Trustlist validation
throw new ClassNotFoundException(desc.getName() + " not find"); throw new ClassNotFoundException(desc.getName() + " not find");
} }
return super.resolveClass(desc); return super.resolveClass(desc);
...@@ -870,7 +870,7 @@ public final class HWObjectInputStream extends ObjectInputStream { ...@@ -870,7 +870,7 @@ public final class HWObjectInputStream extends ObjectInputStream {
(3) Set a trustlist in the policy file. (3) Set a trustlist in the policy file.
``` ```
permission java.io.SerializablePermission "com.xxxx.PersionInfo"; permission java.io.SerializablePermission "com.xxxx.PersonInfo";
``` ```
......
...@@ -807,10 +807,10 @@ public class DeserializeExample implements Serializable { ...@@ -807,10 +807,10 @@ public class DeserializeExample implements Serializable {
// 使用外部数据执行反序列化操作 // 使用外部数据执行反序列化操作
ObjectInputStream ois2= new ObjectInputStream(fis); ObjectInputStream ois2= new ObjectInputStream(fis);
PersionInfo myPerson = (PersionInfo) ois2.readObject(); PersonInfo myPerson = (PersonInfo) ois2.readObject();
``` ```
上面的示例中,当反序列化操作的对象是攻击者构造的DeserializeExample对象的序列化结果,当`PersionInfo myPerson = (PersionInfo) ois2.readObject()`该语句执行时会报错,但是DeserializeExample对象中的`readObject()`方法中的攻击代码已经被执行。 上面的示例中,当反序列化操作的对象是攻击者构造的DeserializeExample对象的序列化结果,当`PersonInfo myPerson = (PersonInfo) ois2.readObject()`该语句执行时会报错,但是DeserializeExample对象中的`readObject()`方法中的攻击代码已经被执行。
**【正例】**(使用白名单校验) **【正例】**(使用白名单校验)
...@@ -826,7 +826,7 @@ public final class SecureObjectInputStream extends ObjectInputStream { ...@@ -826,7 +826,7 @@ public final class SecureObjectInputStream extends ObjectInputStream {
protected Class<?> resolveClass(ObjectStreamClass desc) protected Class<?> resolveClass(ObjectStreamClass desc)
throws IOException, ClassNotFoundException { throws IOException, ClassNotFoundException {
if (!desc.getName().equals("com.xxxx.PersionInfo")) { // 白名单校验 if (!desc.getName().equals("com.xxxx.PersonInfo")) { // 白名单校验
throw new ClassNotFoundException(desc.getName() + " not find"); throw new ClassNotFoundException(desc.getName() + " not find");
} }
return super.resolveClass(desc); return super.resolveClass(desc);
...@@ -874,7 +874,7 @@ public final class HWObjectInputStream extends ObjectInputStream { ...@@ -874,7 +874,7 @@ public final class HWObjectInputStream extends ObjectInputStream {
(3) 在policy文件里设置白名单 (3) 在policy文件里设置白名单
``` ```
permission java.io.SerializablePermission "com.xxxx.PersionInfo"; permission java.io.SerializablePermission "com.xxxx.PersonInfo";
``` ```
...@@ -910,7 +910,7 @@ permission java.io.SerializablePermission "com.xxxx.PersionInfo"; ...@@ -910,7 +910,7 @@ permission java.io.SerializablePermission "com.xxxx.PersionInfo";
实现:hibernate-validator 、Spring: 实现:hibernate-validator 、Spring:
- hibernate-validator 是 JSR 380(Bean Validation 2.0)、JSR 303(Bean Validation 1.0)规范的实现,同时扩展了注解:@Email、@Length、@NotEmpty、@Range等。 - hibernate-validator 是 JSR 380(Bean Validation 2.0)、JSR 303(Bean Validation 1.0)规范的实现,同时扩展了注解:@Email、@Length、@NotEmpty、@Range等。
- Spring validtor 同样实现了JSR 380和JSR 303,并提供了MethodValidationPostProcessor类,用于对方法的校验。 - Spring validator 同样实现了JSR 380和JSR 303,并提供了MethodValidationPostProcessor类,用于对方法的校验。
产品可自主选择合适的校验框架,也可以自主开发实现外部数据校验。 产品可自主选择合适的校验框架,也可以自主开发实现外部数据校验。
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册