From 8862e1ac51f3ed88655a12d0f2f38be3e8e4dc20 Mon Sep 17 00:00:00 2001
From: Sander Hautvast <shautvast@gmail.com>
Date: Mon, 5 Feb 2024 14:31:50 +0100
Subject: [PATCH] Update sectraining.md

---
 sectraining.md | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/sectraining.md b/sectraining.md
index 0ec6d04..0d723c0 100644
--- a/sectraining.md
+++ b/sectraining.md
@@ -415,3 +415,46 @@ Jaxb2Marshaller marshaller = new Jaxb2Marshaller();
 // Must cast return Object to whatever type you are unmarshalling
 marshaller.unmarshal(new StreamSource(new StringReader(some_string_containing_XML));
 ```
+
+### Unsafe Deserialization
+
+#### prevention
+
+```java
+ObjectInputStream objectInputStream = new ObjectInputStream(buffer);
+stream.setObjectInputFilter(MyFilter::myFilter);
+```
+
+together with
+
+```java
+public class MyFilter {
+    static ObjectInputFilter.Status myFilter(ObjectInputFilter.FilterInfo info) {
+        Class<?> serialClass = info.serialClass();
+        if (serialClass != null) {
+            return serialClass.getName().equals(MyClass.class.getName())
+                    ? ObjectInputFilter.Status.ALLOWED
+                    : ObjectInputFilter.Status.REJECTED;
+        }
+        return ObjectInputFilter.Status.UNDECIDED;
+    }
+}
+```
+
+OR
+
+```java
+public class MyFilteringInputStream extends ObjectInputStream {
+    public MyFilteringInputStream(InputStream inputStream) throws IOException {
+        super(inputStream);
+    }
+
+    @Override
+    protected Class<?> resolveClass(ObjectStreamClass objectStreamClass) throws IOException, ClassNotFoundException {
+        if (!objectStreamClass.getName().equals(MyClass.class.getName())) {
+            throw new InvalidClassException("Forbidden class", objectStreamClass.getName());
+        }
+        return super.resolveClass(objectStreamClass);
+    }
+}
+```