undefined | Better HN

0 pointsnneonneo2y ago0 comments

FWIW, class loading isn't necessary for log4j to be bad - unchecked Java deserialization is sufficient for pretty bad pwnage. So we really should add "no unchecked deserialization" to the list of things that a safe language should have.

Java's biggest mistake here, IMHO, was to have a serialization setup that was based solely on a generic interface rather than having the caller declare up front what class it expects to see. In the latter case, so long as you aren't storing naked Object/Serializable fields, type limits strongly restrict the set of naughty objects that can show up in your deserialized object graph. Rust Serde gets this right.

0 comments

1 comments · 1 top-level

pizlonator2y ago

What I mean by class loading being bad isn’t that it’s bad that you can load a new class, but that it’s possible to pass a string into an api and have that api vend you a class. That’s bad even if it’s a class that exists already and doesn’t need to be newly loaded.

I think unchecked serialization is bad because it leads to that “given a string you get an instance of the class named by it” problem.

j / k navigate · click thread line to collapse