Geek Answers Handbook

What are the security risks when serializing a lambda expression?

Just go to Streams and Java 8 Lambda functions, and the last comment to what otherwise does not require explanation of Oracle doc Lambda Expressions :

You can serialize a lambda expression if its target type and its captured arguments are serializable. However, like inner classes, serializing lambda expressions is strongly discouraged.

Checking this, I found the SO question

How to serialize lambda?

where the OP deals with serialized lambda expressions from client code.

If I had a web service and one of the parameters was a lambda expression, it looks like it could contain malicious code that could do things like access the file system, or cause a stack overflow - so it would be really foolish to trust it ,

Am I overdoing the security risk or are there restrictions on what a serialized expression can contain?

+7
java lambda java-8 serialization
source share
2 answers

Let's look at it this way: serializing Java objects (to a certain extent) is a security nightmare anyway (see here ).

In other words: serialization itself is a topic that you need to really think about first. Therefore, it doesn't matter if you are talking about serialized lambdas or any other serialized objects.

So, for example, you want to make sure that you understand and support the relevant rules, such as CERT .

+4
source share

One recommendation in the Oracle Secure Coding Guidelines for Java SE is

Guide 8-3 / SERIAL-3: viewing deserialization is the same as constructing an object

In essence, the same validation checks that will apply to constructor arguments should also apply to incoming deserialized data. This can be done for regular objects by providing a readObject method that performs validation. However, it is NOT possible to provide the readObject method for serialized lambdas, so it is not possible to do any validation of serialized data for lambdas.

Serialized lambdas share all security risks with serializing ordinary objects, but in this respect serialized lambdas suffer from wider security risks than regular serializable objects.

+3
source share

More articles:


All Articles