Regex

Regex to match a set of functions/classes potentially vulnerable to deserialization.

(.*readObject\(.*|java.beans.XMLDecoder|com.thoughtworks.xstream.XStream|.*\.fromXML\(.*\)|com.esotericsoftware.kryo.io.Input|.readClassAndObject\(.*|.readObjectOrNull\(.*|com.caucho.hessian.io|com.caucho.burlap.io.BurlapInput|com.caucho.burlap.io.BurlapOutput|org.codehaus.castor|Unmarshaller|jsonToJava\(.*|JsonObjectsToJava\/.*|JsonReader|ObjectMapper\(|enableDefaultTyping\(\s*\)|@JsonTypeInfo\(|readValue\(.*\,\s*Object\.class|com.alibaba.fastjson.JSON|JSON.parseObject|com.owlike.genson.Genson|useRuntimeType|genson.deserialize|org.red5.io|deserialize\(.*\,\s*Object\.class|\.Yaml|\.load\(.*|\.loadType\(.*\,\s*Object\.class|YamlReader|com.esotericsoftware.yamlbeans)

List

• .*readObject\(.*

• java.beans.XMLDecoder

• com.thoughtworks.xstream.XStream

• .*\.fromXML\(.*\)

• com.esotericsoftware.kryo.io.Input

• .readClassAndObject\(.*

• .readObjectOrNull\(.*

• com.caucho.hessian.io

• com.caucho.burlap.io.BurlapInput

• com.caucho.burlap.io.BurlapOutput

• org.codehaus.castor

• Unmarshaller

• jsonToJava\(.*

• JsonObjectsToJava\/.*

• JsonReader

• ObjectMapper\(

• enableDefaultTyping\(\s*\)

• @JsonTypeInfo\(

• readValue\(.*\,\s*Object\.class

• com.alibaba.fastjson.JSON

• JSON.parseObject

• com.owlike.genson.Genson

• useRuntimeType

• genson.deserialize

• org.red5.io

• deserialize\(.*\,\s*Object\.class

• \.Yaml

• \.load\(.*

• \.loadType\(.*\,\s*Object\.class

• YamlReader

• com.esotericsoftware.yamlbeans