Regex

Regex to match a set of functions/classes potentially vulnerable to deserialization.

(.*readObject\(.*|java.beans.XMLDecoder|com.thoughtworks.xstream.XStream|.*\.fromXML\(.*\)|com.esotericsoftware.kryo.io.Input|.readClassAndObject\(.*|.readObjectOrNull\(.*|com.caucho.hessian.io|com.caucho.burlap.io.BurlapInput|com.caucho.burlap.io.BurlapOutput|org.codehaus.castor|Unmarshaller|jsonToJava\(.*|JsonObjectsToJava\/.*|JsonReader|ObjectMapper\(|enableDefaultTyping\(\s*\)|@JsonTypeInfo\(|readValue\(.*\,\s*Object\.class|com.alibaba.fastjson.JSON|JSON.parseObject|com.owlike.genson.Genson|useRuntimeType|genson.deserialize|org.red5.io|deserialize\(.*\,\s*Object\.class|\.Yaml|\.load\(.*|\.loadType\(.*\,\s*Object\.class|YamlReader|com.esotericsoftware.yamlbeans)

List

  • .*readObject\(.*

  • java.beans.XMLDecoder

  • com.thoughtworks.xstream.XStream

  • .*\.fromXML\(.*\)

  • com.esotericsoftware.kryo.io.Input

  • .readClassAndObject\(.*

  • .readObjectOrNull\(.*

  • com.caucho.hessian.io

  • com.caucho.burlap.io.BurlapInput

  • com.caucho.burlap.io.BurlapOutput

  • org.codehaus.castor

  • Unmarshaller

  • jsonToJava\(.*

  • JsonObjectsToJava\/.*

  • JsonReader

  • ObjectMapper\(

  • enableDefaultTyping\(\s*\)

  • @JsonTypeInfo\(

  • readValue\(.*\,\s*Object\.class

  • com.alibaba.fastjson.JSON

  • JSON.parseObject

  • com.owlike.genson.Genson

  • useRuntimeType

  • genson.deserialize

  • org.red5.io

  • deserialize\(.*\,\s*Object\.class

  • \.Yaml

  • \.load\(.*

  • \.loadType\(.*\,\s*Object\.class

  • YamlReader

  • com.esotericsoftware.yamlbeans

Last updated