Files
narya/core
fourbites c4ab0d13de Harden deserialization against malicious client input
Add three defenses to the Streamable deserialization system to prevent
exploitation by hacked clients:

- Class whitelist: ObjectInputStream.setAllowedClassPrefixes() validates
  class names before Class.forName(), blocking arbitrary class loading
  from crafted wire data. Callers configure at startup; unconfigured
  streams retain existing behavior for backward compatibility.

- Container size caps: BasicStreamers.validateSize() rejects arrays,
  collections, and maps with negative or >65536 element counts. Prevents
  OOM from a small frame declaring a massive allocation. Applied to all
  12 array/collection read paths and Streamer.ArrayStreamer.

- Recursion depth limit: ObjectInputStream.readObject() tracks nesting
  depth and throws at 32 levels, preventing stack overflow from
  maliciously nested structures (e.g., list-of-list-of-list).
2026-03-20 14:42:10 +01:00
..