From f86b8271cb8f20c23560fbec3e4aa86aacad7b7e Mon Sep 17 00:00:00 2001 From: Shawn Date: Fri, 14 Jul 2023 19:57:33 +0800 Subject: [PATCH] [Docs] Update security doc (#642) * update security doc * update security doc --- README.md | 7 ++++--- docs/user_guide.md | 6 ++++-- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 5370021f51..8ab0e82d68 100644 --- a/README.md +++ b/README.md @@ -342,13 +342,14 @@ We are still improving our protocols, binary compatibility are not ensured betwe Binary compatibility will be ensured before fury 1.0. ## Security -Static serialization such as row format are secure by nature. But dynamic object graph serialization supports deserialize unregistered types, which can introduce security risks. +Static serialization such as row format are secure by nature. But native java/python dynamic object graph serialization +supports deserialize unregistered types, which can introduce security risks. For example, the deserialization may invoke `init` constructor or `equals`/`hashCode` method, if the method body contains malicious code, the system will be at risks. -Fury provides a secure mode option and enabled by default for this protocol, which allows deserializing trusted registered types or built-in types only for security. +Fury provides a secure mode option and enabled by default for this protocol, which allows deserializing trusted registered types or built-in types only. -If your environment is **indeed secure**, you can disable the secure mode, then the user types are not needed be registered ahead, and can be serialized automatically. +You can take this option as a whitelist mechanism. **Do not disable it unless you can ensure your environment is indeed secure**. ## RoadMap - Meta compression, auto meta sharing and cross-language schema compatibility. diff --git a/docs/user_guide.md b/docs/user_guide.md index be4add7d23..7f9aa5bfb6 100644 --- a/docs/user_guide.md +++ b/docs/user_guide.md @@ -553,8 +553,10 @@ byte[] bytes = fury.serialize(object); System.out.println(fury.deserialize(bytes)); ``` -### Class Registration -`FuryBuilder#requireClassRegistration`/`FuryBuilder#withSecureMode` can be used to disable class registration, this will allow to deserialize objects unknown types, more flexible but less secure. Do not disable class registration until you know what you are doing. +### Security & Class Registration +`FuryBuilder#requireClassRegistration`/`FuryBuilder#withSecureMode` can be used to disable class registration, this will allow to deserialize objects unknown types, more flexible but **less secure**. + +**Do not disable class registration unless you can ensure your environment is indeed secure**. Malicious code in `init/equals/hashCode` can be executed when deserializing unknown/untrusted types when this option disabled. Class registration can not only reduce security risks, but also avoid classname serialization cost.