Regex
Regex to match a set of functions/classes potentially vulnerable to deserialization.
(.*readObject\(.*|java.beans.XMLDecoder|com.thoughtworks.xstream.XStream|.*\.fromXML\(.*\)|com.esotericsoftware.kryo.io.Input|.readClassAndObject\(.*|.readObjectOrNull\(.*|com.caucho.hessian.io|com.caucho.burlap.io.BurlapInput|com.caucho.burlap.io.BurlapOutput|org.codehaus.castor|Unmarshaller|jsonToJava\(.*|JsonObjectsToJava\/.*|JsonReader|ObjectMapper\(|enableDefaultTyping\(\s*\)|@JsonTypeInfo\(|readValue\(.*\,\s*Object\.class|com.alibaba.fastjson.JSON|JSON.parseObject|com.owlike.genson.Genson|useRuntimeType|genson.deserialize|org.red5.io|deserialize\(.*\,\s*Object\.class|\.Yaml|\.load\(.*|\.loadType\(.*\,\s*Object\.class|YamlReader|com.esotericsoftware.yamlbeans)
List
.*readObject\(.*
java.beans.XMLDecoder
com.thoughtworks.xstream.XStream
.*\.fromXML\(.*\)
com.esotericsoftware.kryo.io.Input
.readClassAndObject\(.*
.readObjectOrNull\(.*
com.caucho.hessian.io
com.caucho.burlap.io.BurlapInput
com.caucho.burlap.io.BurlapOutput
org.codehaus.castor
Unmarshaller
jsonToJava\(.*
JsonObjectsToJava\/.*
JsonReader
ObjectMapper\(
enableDefaultTyping\(\s*\)
@JsonTypeInfo\(
readValue\(.*\,\s*Object\.class
com.alibaba.fastjson.JSON
JSON.parseObject
com.owlike.genson.Genson
useRuntimeType
genson.deserialize
org.red5.io
deserialize\(.*\,\s*Object\.class
\.Yaml
\.load\(.*
\.loadType\(.*\,\s*Object\.class
YamlReader
com.esotericsoftware.yamlbeans
Last updated
Was this helpful?