Hacker News new | past | comments | ask | show | jobs | submit login

Are there any data binding libraries (deserialization, marshaling, pickling libraries) that do not have the class of weaknesses as the two CVEs (CVE-2022-22965, CVE-2010-1622)?

My understanding is as follows.

- Spring uses WebDataBinder [0]. -> CVEs: CVE-2022-22965 (Spring4Shell), CVE-2010-1622 -> CVE Fixes: First deny-list approach (2010), then partial allow-list approach (2022)

- Struts uses OGNL. -> CVEs: CVE-2017-5638 (Equifax breach), and others -> CVE Fixes: deny-list approach (-2017-)

If there are any for Java, can they be used with Spring Boot (Spring Framework)? Maybe there are some for in another programming language?

[0] https://docs.spring.io/spring-framework/docs/current/javadoc... > Special DataBinder for data binding from web request parameters to JavaBean objects.




Also to understand the problem correctly, what is the class of weakness of the two CVEs (CVE-2022-22965, CVE-2010-1622)?

The following look like good candidates.

- CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes <https://cwe.mitre.org/data/definitions/915.html> (Ruby on Rails Mass assignment bug)

- CWE-502: Deserialization of Untrusted Data <https://cwe.mitre.org/data/definitions/502.html>

- CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') <https://cwe.mitre.org/data/definitions/470.html>

I think the one assigned (CWE-20:) is not a good approach to dealing with the "class" of weaknesses.

- CWE-20: Improper Input Validation <https://cwe.mitre.org/data/definitions/20.html>

As long as you see this as a "CWE-20: Improper Input Validation" class problem, it seems like you try to fix this with a deny-list approach or a partial allow-list approach that needs additional fixing some time in the future.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: