lambda表达式的序列化有哪些安全风险? [英] What are the security risks in the serialization of a lambda expression?
问题描述
仅介绍Streams和Java 8 Lambda功能,以及对否则为不言自明的Oracle文档
Just going over Streams and Java 8 Lambda functionality, and the last comment on the otherwise self-explanatory Oracle doc Lambda Expressions states:
如果lambda表达式的目标类型及其目标类型,则可以对其进行序列化捕获的参数是可序列化的.但是,像内部类一样,强烈建议不要对lambda表达式进行序列化.
You can serialize a lambda expression if its target type and its captured arguments are serializable. However, like inner classes, the serialization of lambda expressions is strongly discouraged.
对此进行检查,我发现了SO问题
Checking up on this I found the SO question
其中OP正在处理来自客户端代码的序列化lambda表达式.
where the OP is dealing with serialized lambda expressions from client code.
如果我有一个Web服务,并且其中一个参数是lambda表达式,则它似乎可能包含恶意代码,这些恶意代码可以执行诸如文件系统访问或引起堆栈溢出之类的事情,因此信任它是非常愚蠢的.
If I had a webservice and one of the parameters was a lambda expression, it seems it could contain malicious code that could do such things as file system access, or causing a stack overflow - so it would be highly foolish to trust it.
我是否夸大了安全风险,或者序列化表达式可以包含的内容是否有限制?
Am I overexaggerating the security risk or are there limits to what a serialized expression can contain?
推荐答案
让我们这样说:Java对象序列化在某种程度上是一个安全梦night(请参阅
Lets put it this way: Java object serialization is (to a certain degree) a security nightmare anyway ( see here for example ).
换句话说:串行化本身就是一个主题,首先需要真正考虑周全.因此,无论您谈论序列化的lambda还是任何其他类型的序列化的对象,都没有关系.
In other words: serialization by itself is a topic where one needs to be really thoughtful in the first place. So it doesn't really matter if you talk about serialized lambdas, or any other kind of serialized objects.
So, for example you want to make sure that you understand and support the corresponding rules, like from CERT.
这篇关于lambda表达式的序列化有哪些安全风险?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
