Eirik Bjørsnøs' notsoserial deserialization protection agent, for Commons?

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Eirik Bjørsnøs' notsoserial deserialization protection agent, for Commons?

Bertrand Delacretaz
Hi Commons PMC,

I'd like to introduce Eirik Bjørsnøs to this list (CCed) as the author
of the https://github.com/kantega/notsoserial agent.

I tested his agent in a variety of scenarios and it looks to me like a
great solution for the COLLECTIONS-580 deserialization issue, for
cases when one cannot modify their source code to use something like
IO-487.

I think this code would be a great addition to commons, probably as new module.

Eirik says he's open to donating his code if you the Commons PMC is
interested, what do you guys think?

Not that he did mention his tool here before [1] but it has since changed name.

-Bertrand

[1] http://mail-archives.apache.org/mod_mbox/commons-dev/201511.mbox/%3CCA+pBWhsQK6trGh9TtA7=MCs-Z0-7SRBndWo_D6awFtRku3J1+g@...%3E

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Eirik Bjørsnøs' notsoserial deserialization protection agent, for Commons?

Torsten Curdt-3
Using the agent in (and only in) whitelist mode is a pretty strong and
quick security measure.
Calling this a "great solution" still goes against my inner developer soul
though.
It's pragmatic and a good tool - that I am on board with. (Cool stuff,
Eirik)
Yet it feels a bit like putting a thumb into a hole to stop the water.
People need to re-think their use of reflection and serialization - not
cover up bad engineering practices.

Would I want to see this at commons? Not sure. Releases are probably much
quicker when it's not anyway :-p
Would I love to see e.g. findbugs help find vulnerabilities like that?
Definitely!

Just my 2 cents
Torsten
Reply | Threaded
Open this post in threaded view
|

Re: Eirik Bjørsnøs' notsoserial deserialization protection agent, for Commons?

Bertrand Delacretaz
On Wed, Nov 18, 2015 at 7:16 PM, Torsten Curdt <[hidden email]> wrote:
> ...it feels a bit like putting a thumb into a hole to stop the water.
> People need to re-think their use of reflection and serialization - not
> cover up bad engineering practices...

Absolutely - but depending on people's use of serialization it will
take a while until all holes are plugged. Until then, tools like
Eirik's agent can be very useful.

-Bertrand

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Eirik Bjørsnøs' notsoserial deserialization protection agent, for Commons?

Jacques Le Roux
Le 19/11/2015 01:24, Bertrand Delacretaz a écrit :
> On Wed, Nov 18, 2015 at 7:16 PM, Torsten Curdt <[hidden email]> wrote:
>> ...it feels a bit like putting a thumb into a hole to stop the water.
>> People need to re-think their use of reflection and serialization - not
>> cover up bad engineering practices...
> Absolutely - but depending on people's use of serialization it will
> take a while until all holes are plugged. Until then, tools like
> Eirik's agent can be very useful.
>
> -Bertrand

+1

Jacques

>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Eirik Bjørsnøs' notsoserial deserialization protection agent, for Commons?

Torsten Curdt-3
In reply to this post by Bertrand Delacretaz
>
> > ...it feels a bit like putting a thumb into a hole to stop the water.
> > People need to re-think their use of reflection and serialization - not
> > cover up bad engineering practices...
>
> Absolutely - but depending on people's use of serialization it will
> take a while until all holes are plugged. Until then, tools like
> Eirik's agent can be very useful.
>

Indeed. Call it nitpicking - it's just that the term "great solution"
struck me as inappropriate.
Reply | Threaded
Open this post in threaded view
|

Re: Eirik Bjørsnøs' notsoserial deserialization protection agent, for Commons?

Bertrand Delacretaz
On Thu, Nov 19, 2015 at 5:39 AM, Torsten Curdt <[hidden email]> wrote:
> ...it's just that the term "great solution"
> struck me as inappropriate....

Well I did say "great solution...for cases when one cannot modify
their source code..." ;-)

-Bertrand

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Eirik Bjørsnøs' notsoserial deserialization protection agent, for Commons?

jochen-2
In reply to this post by Bertrand Delacretaz
On Wed, Nov 18, 2015 at 10:58 PM, Bertrand Delacretaz
<[hidden email]> wrote:

> I tested his agent in a variety of scenarios and it looks to me like a
> great solution for the COLLECTIONS-580 deserialization issue, for
> cases when one cannot modify their source code to use something like
> IO-487.

Be that as it may, but the solution from IO-487 looks to me to be much
easier to use, in particular, because it shifts the burden on the
container, or application vendor (where it belongs, IMO), and not on
the end user running the container, or application.

Jochen


--
The next time you hear: "Don't reinvent the wheel!"

http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Eirik Bjørsnøs' notsoserial deserialization protection agent, for Commons?

Bertrand Delacretaz
On Thu, Nov 19, 2015 at 9:40 AM, Jochen Wiedmann
<[hidden email]> wrote:
> ...but the solution from IO-487 looks to me to be much
> easier to use, in particular, because it shifts the burden on the
> container, or application vendor (where it belongs, IMO), and not on
> the end user running the container, or application....

Absolutely, I think both solutions are useful.

IO-487 is the clean solution when you can modify your source code and
specify what you want to deserialize or not.

Erik's notsoserial agent is a useful (and clever) fix for code that
you can't modify, or as a first step until you can modify and release
your code.

-Bertrand

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Eirik Bjørsnøs' notsoserial deserialization protection agent, for Commons?

Eirik Bjørsnøs
Hi Commons PMC,

(Sorry for being a bit late to the table)

I see three questions being discussed here:

1) Is notsoserial a "great solution" or a "useful solution" in mitigating
the problem of promiscuous deserialization?
2) Is it a "better" solution than IO-487?
3) Is it in the interest of Commons and the community at large to accept a
donation of this code and include it under its umbrella?

The two first questions are interesting in themselves, but do we really
need to reach any consensus on them? Is there requirement for solutions to
be "great" to join Commons? Is "useful" sufficient? Do we need a declare a
"winner" between notsoserial and IO-487? I see them as attacking the same
problems from opposite sides where both angles are useful. Should you have
a lock or an alarm in your house?

The third question is not for be to decide.

My take is that if a donation to Apache Commons can make people be more
aware that this solution exists and that is a benefit for Commons and the
community at large, then I'm not opposed to a donation.

For my own personal interests, keeping it a Github project is probably
simpler as Torsten mentions. However, I'm sure a lot of organisations would
feel more comfortable using a solution vetted by a community such as
Apache.

Eirik.


On Thu, Nov 19, 2015 at 3:47 PM, Bertrand Delacretaz <[hidden email]
> wrote:

> On Thu, Nov 19, 2015 at 9:40 AM, Jochen Wiedmann
> <[hidden email]> wrote:
> > ...but the solution from IO-487 looks to me to be much
> > easier to use, in particular, because it shifts the burden on the
> > container, or application vendor (where it belongs, IMO), and not on
> > the end user running the container, or application....
>
> Absolutely, I think both solutions are useful.
>
> IO-487 is the clean solution when you can modify your source code and
> specify what you want to deserialize or not.
>
> Erik's notsoserial agent is a useful (and clever) fix for code that
> you can't modify, or as a first step until you can modify and release
> your code.
>
> -Bertrand
>
Reply | Threaded
Open this post in threaded view
|

Re: Eirik Bjørsnøs' notsoserial deserialization protection agent, for Commons?

Bertrand Delacretaz
Hi Eirik,

On Fri, Nov 20, 2015 at 7:52 AM, Eirik Bjørsnøs <[hidden email]> wrote:
> ...Do we need a declare a "winner" between notsoserial and IO-487..

I don't think so, definitely not - both are useful tools for different
use cases.

> ...My take is that if a donation to Apache Commons can make people be more
> aware that this solution exists and that is a benefit for Commons and the
> community at large, then I'm not opposed to a donation...

Ok, that was my intention in suggesting a donation. The term "I'm not
opposed" can mean different things in different cultures, I suppose
(or hope) it has a positive meaning in yours ;-)

> ...For my own personal interests, keeping it a Github project is probably
> simpler as Torsten mentions. ..

Yes it makes decisions easier and quicker, OTOH if you look at
https://issues.apache.org/jira/browse/IO-487 I find it quite
impressive how the code has evolved from the original idea based on
the collective feedback and code ideas provided by others. In general,
community work means much better things in the end even though it
might take longer to get there (ok, I'm a bit biased given my
involvement in the ASF in the last few years).

-Bertrand

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Eirik Bjørsnøs' notsoserial deserialization protection agent, for Commons?

Phil Steitz
On 11/20/15 7:33 AM, Bertrand Delacretaz wrote:

> Hi Eirik,
>
> On Fri, Nov 20, 2015 at 7:52 AM, Eirik Bjørsnøs <[hidden email]> wrote:
>> ...Do we need a declare a "winner" between notsoserial and IO-487..
> I don't think so, definitely not - both are useful tools for different
> use cases.
>
>> ...My take is that if a donation to Apache Commons can make people be more
>> aware that this solution exists and that is a benefit for Commons and the
>> community at large, then I'm not opposed to a donation...
> Ok, that was my intention in suggesting a donation. The term "I'm not
> opposed" can mean different things in different cultures, I suppose
> (or hope) it has a positive meaning in yours ;-)
>
>> ...For my own personal interests, keeping it a Github project is probably
>> simpler as Torsten mentions. ..
> Yes it makes decisions easier and quicker, OTOH if you look at
> https://issues.apache.org/jira/browse/IO-487 I find it quite
> impressive how the code has evolved from the original idea based on
> the collective feedback and code ideas provided by others. In general,
> community work means much better things in the end even though it
> might take longer to get there (ok, I'm a bit biased given my
> involvement in the ASF in the last few years).

Right.  So the real question is is anyone interested in working on
this code?  

Phil
>
> -Bertrand
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Eirik Bjørsnøs' notsoserial deserialization protection agent, for Commons?

Bertrand Delacretaz
On Fri, Nov 20, 2015 at 12:50 PM, Phil Steitz <[hidden email]> wrote:
> ...So the real question is is anyone interested in working on
> this code?...

Good question indeed - I'll very probably use it so yes I would
contribute to its maintenance.

-Bertrand

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Eirik Bjørsnøs' notsoserial deserialization protection agent, for Commons?

Uwe Barthel
In reply to this post by Phil Steitz
Hi,

I'm not a committer but interested and looking forward to work on/with both
solutions.

-- Uwe


On November 20, 2015 6:50:53 PM Phil Steitz <[hidden email]> wrote:

> On 11/20/15 7:33 AM, Bertrand Delacretaz wrote:
>> Hi Eirik,
>>
>> On Fri, Nov 20, 2015 at 7:52 AM, Eirik Bjørsnøs <[hidden email]> wrote:
>>> ...Do we need a declare a "winner" between notsoserial and IO-487..
>> I don't think so, definitely not - both are useful tools for different
>> use cases.
>>
>>> ...My take is that if a donation to Apache Commons can make people be more
>>> aware that this solution exists and that is a benefit for Commons and the
>>> community at large, then I'm not opposed to a donation...
>> Ok, that was my intention in suggesting a donation. The term "I'm not
>> opposed" can mean different things in different cultures, I suppose
>> (or hope) it has a positive meaning in yours ;-)
>>
>>> ...For my own personal interests, keeping it a Github project is probably
>>> simpler as Torsten mentions. ..
>> Yes it makes decisions easier and quicker, OTOH if you look at
>> https://issues.apache.org/jira/browse/IO-487 I find it quite
>> impressive how the code has evolved from the original idea based on
>> the collective feedback and code ideas provided by others. In general,
>> community work means much better things in the end even though it
>> might take longer to get there (ok, I'm a bit biased given my
>> involvement in the ASF in the last few years).
>
> Right.  So the real question is is anyone interested in working on
> this code?
>
> Phil
>>
>> -Bertrand
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Eirik Bjørsnøs' notsoserial deserialization protection agent, for Commons?

Torsten Curdt-3
In reply to this post by Eirik Bjørsnøs
>
> 1) Is notsoserial a "great solution" or a "useful solution" in mitigating
> the problem of promiscuous deserialization?
>

Useful? Certainly


2) Is it a "better" solution than IO-487?
>

Not sure - but does that really matter? It has a broader scope.


3) Is it in the interest of Commons and the community at large to accept a
> donation of this code and include it under its umbrella?
>

I bet we would be fine to accept it.

While this community is great, it does not mean you couldn't also build a
micro community around it on github.
I think it really depends if you are willing to take the extra step towards
the ASF.

cheers,
Torsten