9

Just going over Streams and Java 8 Lambda functionality, and the last comment on the otherwise self-explanatory Oracle doc Lambda Expressions states:

You can serialize a lambda expression if its target type and its captured arguments are serializable. However, like inner classes, the serialization of lambda expressions is strongly discouraged.

Checking up on this I found the SO question

How to serialize a lambda?

where the OP is dealing with serialized lambda expressions from client code.

If I had a webservice and one of the parameters was a lambda expression, it seems it could contain malicious code that could do such things as file system access, or causing a stack overflow - so it would be highly foolish to trust it.

Am I overexaggerating the security risk or are there limits to what a serialized expression can contain?

Community
  • 1
  • 1
Adam
  • 5,215
  • 5
  • 51
  • 90
  • 1
    See [this question](http://stackoverflow.com/questions/25443655/possibility-to-explicit-remove-serialization-support-for-a-lambda) for an example. As already pointed out in your cite, inner classes may open up a similar issue. Iā€™m not quite sure, how you transfer a lambda expression in the context of a webservice, though. ā€“ Holger Aug 22 '16 at 13:15
  • 1
    Just to make clear, serializing a lambda expression doesn't serialize the code inside the expression; only things like captured arguments. ā€“ Klitos Kyriacou Aug 22 '16 at 13:16

2 Answers2

5

Lets put it this way: Java object serialization is (to a certain degree) a security nightmare anyway ( see here for example ).

In other words: serialization by itself is a topic where one needs to be really thoughtful in the first place. So it doesn't really matter if you talk about serialized lambdas, or any other kind of serialized objects.

So, for example you want to make sure that you understand and support the corresponding rules, like from CERT.

Community
  • 1
  • 1
GhostCat
  • 137,827
  • 25
  • 176
  • 248
4

One of the recommendations in the Oracle Secure Coding Guidelines for Java SE is

Guideline 8-3 / SERIAL-3: View deserialization the same as object construction

Essentially, the same validation checks that would be applied to constructor arguments should also be applied to incoming deserialized data. This is possible to do for ordinary objects by providing a readObject method that performs the validation. However, it is NOT possible to provide a readObject method for serialized lambdas, thus it isn't possible to perform any validation of the serialized data for a lambda.

Serialized lambdas share all the security risks with serialization of ordinary objects, but in this respect serialized lambdas suffer from broader security risks than ordinary serializable objects.

Stuart Marks
  • 127,867
  • 37
  • 205
  • 259