From b2899a912dd64bc7bc50b70525fabf7daaf62861 Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com>
Date: Thu, 30 May 2024 17:30:35 +0000
Subject: [PATCH] Introduced protections against deserialization attacks

---
 pom.xml                                                | 10 ++++++++++
 .../deserialization/InsecureDeserializationTask.java   |  2 ++
 .../lessons/deserialization/SerializationHelper.java   |  2 ++
 3 files changed, 14 insertions(+)

diff --git a/pom.xml b/pom.xml
index ace58b581..e47138ad9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -147,6 +147,7 @@
     <!-- do not update necessary for lesson -->
     <zxcvbn.version>1.5.2</zxcvbn.version>
     <versions.java-security-toolkit-xstream>1.0.2</versions.java-security-toolkit-xstream>
+    <versions.java-security-toolkit>1.1.3</versions.java-security-toolkit>
   </properties>
 
   <dependencyManagement>
@@ -254,6 +255,11 @@
         <artifactId>java-security-toolkit-xstream</artifactId>
         <version>${versions.java-security-toolkit-xstream}</version>
       </dependency>
+      <dependency>
+        <groupId>io.github.pixee</groupId>
+        <artifactId>java-security-toolkit</artifactId>
+        <version>${versions.java-security-toolkit}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 
@@ -403,6 +409,10 @@
       <groupId>io.github.pixee</groupId>
       <artifactId>java-security-toolkit-xstream</artifactId>
     </dependency>
+    <dependency>
+      <groupId>io.github.pixee</groupId>
+      <artifactId>java-security-toolkit</artifactId>
+    </dependency>
   </dependencies>
 
   <repositories>
diff --git a/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserializationTask.java b/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserializationTask.java
index d44823fdc..0d120b8f4 100644
--- a/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserializationTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserializationTask.java
@@ -22,6 +22,7 @@
 
 package org.owasp.webgoat.lessons.deserialization;
 
+import io.github.pixee.security.ObjectInputFilters;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InvalidClassException;
@@ -56,6 +57,7 @@ public AttackResult completed(@RequestParam String token) throws IOException {
 
     try (ObjectInputStream ois =
         new ObjectInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(b64token)))) {
+      ObjectInputFilters.enableObjectFilterIfUnprotected(ois);
       before = System.currentTimeMillis();
       Object o = ois.readObject();
       if (!(o instanceof VulnerableTaskHolder)) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/deserialization/SerializationHelper.java b/src/main/java/org/owasp/webgoat/lessons/deserialization/SerializationHelper.java
index a8b55ab40..3f7962581 100644
--- a/src/main/java/org/owasp/webgoat/lessons/deserialization/SerializationHelper.java
+++ b/src/main/java/org/owasp/webgoat/lessons/deserialization/SerializationHelper.java
@@ -1,5 +1,6 @@
 package org.owasp.webgoat.lessons.deserialization;
 
+import io.github.pixee.security.ObjectInputFilters;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.DataOutputStream;
@@ -16,6 +17,7 @@ public class SerializationHelper {
   public static Object fromString(String s) throws IOException, ClassNotFoundException {
     byte[] data = Base64.getDecoder().decode(s);
     ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data));
+    ObjectInputFilters.enableObjectFilterIfUnprotected(ois);
     Object o = ois.readObject();
     ois.close();
     return o;