class name dereferencing, obfuscation
Brought to you by:
charliehubbard
Menu
▾
▴
#16 class name dereferencing, obfuscation
All json sent to the deserializer currently instantiates the class name it finds in the class property. This is a big security hole when used to deserialize browser requests since it gives the user the ability to instantiate any object on the server. There should be an option to obfuscate the class name when serializing objects. The way this can work is to generate an md5 hash as the name of the class and maintain a global mapping to dereference the actual class. At the very least, createBinder or findClassInMap should be customizable by the user so such mechanisms can be added. One other use I can think of is the support for views. The class name can encode a view can be used to find a target class, and also the include/exclude properties etc for that particular view which can come from a properties fie.
For the most part this can already be done today by registering a Transformer on *.class path. Then all properties called class will be routed to that Transformer, and it could choose to obfuscate those properties. The exact same technique could be applied using an ObjectFactory on the other end. Out of the box yes it serializes the class name, but this is completely customizable. An obfuscation mechanism could be included as a Transformer out of the fox, but the ability for other people to do this today exists.