Deprecate SerializationUtils#deserialize

Since SerializationUtils#deserialize is based on Java's serialization mechanism, it can be the source of Remote Code Execution (RCE) vulnerabilities. Closes gh-28075
spring-projects · Mar 29, 2022 · 7f7fb58 · hackchend · Mar 30, 2022 · tengyer
1 parent e681e71
commit 7f7fb58
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 1 deletion.
diff --git a/...rt/src/main/java/org/springframework/cache/jcache/interceptor/CacheResultInterceptor.java b/...rt/src/main/java/org/springframework/cache/jcache/interceptor/CacheResultInterceptor.java
@@ -150,7 +150,7 @@ private static CacheOperationInvoker.ThrowableWrapper rewriteCallStack(
 	@Nullable
 	private static <T extends Throwable> T cloneException(T exception) {
 		try {
-			return (T) SerializationUtils.deserialize(SerializationUtils.serialize(exception));
+			return SerializationUtils.clone(exception);
 		}
 		catch (Exception ex) {
 			return null;  // exception parameter cannot be cloned

diff --git a/spring-core/src/main/java/org/springframework/util/SerializationUtils.java b/spring-core/src/main/java/org/springframework/util/SerializationUtils.java
@@ -21,6 +21,7 @@
 import java.io.IOException;
 import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
+import java.io.Serializable;
 
 import org.springframework.lang.Nullable;
 
@@ -57,8 +58,13 @@ public static byte[] serialize(@Nullable Object object) {
 	 * Deserialize the byte array into an object.
 	 * @param bytes a serialized object
 	 * @return the result of deserializing the bytes
+	 * @deprecated This utility uses Java's reflection, which allows arbitrary code to be
+	 * run and is known for being the source of many Remote Code Execution vulnerabilities.
+	 * <p>Prefer the use of an external tool (that serializes to JSON, XML or any other format)
+	 * which is regularly checked and updated for not allowing RCE.
 	 */
 	@Nullable
+	@Deprecated
 	public static Object deserialize(@Nullable byte[] bytes) {
 		if (bytes == null) {
 			return null;
@@ -74,4 +80,15 @@ public static Object deserialize(@Nullable byte[] bytes) {
 		}
 	}
 
+	/**
+	 * Clone the given object using Java's serialization.
+	 * @param object the object to clone
+	 * @param <T> the type of the object to clone
+	 * @return a clone (deep-copy) of the given object
+	 * @since 6.0.0
+	 */
+	@SuppressWarnings("unchecked")
+	public static <T extends Serializable> T clone(T object) {
+		return (T) SerializationUtils.deserialize(SerializationUtils.serialize(object));
+	}
 }
diff --git a/spring-core/src/test/java/org/springframework/util/SerializationUtilsTests.java b/spring-core/src/test/java/org/springframework/util/SerializationUtilsTests.java
@@ -67,4 +67,9 @@ void deserializeNull() throws Exception {
 		assertThat(SerializationUtils.deserialize(null)).isNull();
 	}
 
+	@Test
+	void cloneException() {
+		IllegalArgumentException ex = new IllegalArgumentException("foo");
+		assertThat(SerializationUtils.clone(ex)).hasMessage("foo").isNotSameAs(ex);
+	}
 }
	* <p><strong>WARNING</strong>: These utilities should be used with caution. See
	* <a href="https://www.oracle.com/java/technologies/javase/seccodeguide.html#8"
	* target="_blank">Secure Coding Guidelines for the Java Programming Language</a>
	* for details.