I noticed that ClassLoaderObjectInputStream overrides ObjectInputStream.resolveClass() in the following file:
src/Platform_Core/org/lobobrowser/store/ClassLoaderObjectInputStream.java
The implementation resolves classes using Class.forName(...) with a custom ClassLoader, without additional validation or restrictions.
I was wondering whether this stream is ever used on data that could be influenced by untrusted sources (for example cached content, downloaded data, or extensions).
If so, would the project be open to adding some defensive safeguards (such as restricting which classes can be deserialized), or clarifying the intended usage and trust assumptions in the documentation?
I noticed that ClassLoaderObjectInputStream overrides ObjectInputStream.resolveClass() in the following file:
src/Platform_Core/org/lobobrowser/store/ClassLoaderObjectInputStream.javaThe implementation resolves classes using Class.forName(...) with a custom ClassLoader, without additional validation or restrictions.
I was wondering whether this stream is ever used on data that could be influenced by untrusted sources (for example cached content, downloaded data, or extensions).
If so, would the project be open to adding some defensive safeguards (such as restricting which classes can be deserialized), or clarifying the intended usage and trust assumptions in the documentation?