Draft: fix: resolve deserialization vulnerability

Duo Developerrequested to merge
duo/bugfix/1-deserialization-vulnerability into main

Relates to issue https://gitlab.com/gitlab-da/tutorials/security-and-governance/WebGoat/-/issues/1

Changes

This merge request fixes the deserialization vulnerability (CWE-502) in the WebGoat project by implementing secure deserialization with class whitelisting:

1. Created SafeObjectInputStream.java

  • New secure class extending ObjectInputStream with whitelisting mechanism
  • Overrides resolveClass() to validate all deserialized classes
  • Whitelists only safe classes: VulnerableTaskHolder, LocalDateTime, String, and java.time.Ser
  • Throws ClassNotFoundException for unauthorized deserialization attempts
  • Includes proper SPDX license header matching project standards

2. Updated InsecureDeserializationTask.java

  • Replaced ObjectInputStream with SafeObjectInputStream for secure token deserialization
  • Added required import for SafeObjectInputStream

3. Updated SerializationHelper.java

  • Replaced ObjectInputStream with SafeObjectInputStream in fromString() method
  • Added required import for SafeObjectInputStream
  • Ensures all deserialization operations use the secure implementation

Security Improvements:

  • Mitigates CWE-502 (Deserialization of Untrusted Data)
  • Prevents malicious payload execution through class whitelisting
  • Maintains legitimate lesson functionality with whitelisted classes
  • Provides clear error messages for debugging unauthorized attempts
  • Follows OWASP secure coding guidelines
Edited by Fern

Merge request reports