Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

RedisTemplate leads to unsafe deserialization in Fortify's dynamic code evaluation

Tags:

java

deserialization

fortify

spring-data-redis

In making spring redis data template, I use:

RedisTemplate<String, xxxDTO> template = new RedisTemplate<>();

Then I also set the deserializer to a custom one that white lists certain class in case of unsafe deserialization.

Fortify somehow still highlights:

new RedisTemplate<>();

as unsafe deserialization during the dynamic code evaluation, within the kingdom Input Validation and Representation.

How to make a RedisTemplate without being flagged?

like image 605
user11261458 Avatar asked Dec 10 '25 16:12

user11261458

1 Answers

I have faced the same issue and the Fortify scan report flagged this as 'Dynamic Code Evaluation: Unsafe Deserialization'. Adding the solution since I didn't get a proper solution on StackOverflow.

Initial Code

@Bean
public RedisTemplate redisTemplate() {
    RedisSerializer<String> stringSerializer = new StringRedisSerializer();

    RedisTemplate<?, ?> template = new RedisTemplate<>();
    template.setConnectionFactory(jedisConnectionFactory());
    template.setKeySerializer(stringSerializer);
    template.setValueSerializer(stringSerializer);
    template.afterPropertiesSet();

    return template;
}

The problem was happening due to this line RedisTemplate<?, ?> template = new RedisTemplate<>();

Now, using safe serializers are recommended and I have used Jackson2JsonRedisSerializer for serializing and deserializing objects. I was already using StringRedisSerializer for strings.

Additionally, I initialized RedisTemplate<String, Object>, thereby specifying the key and value types.

Solution

@Bean
public RedisTemplate<String, Object> redisTemplate() {
    RedisSerializer<String> stringSerializer = new StringRedisSerializer();
    Jackson2JsonRedisSerializer<Object> objectSerializer = new Jackson2JsonRedisSerializer<>(Object.class);

    RedisTemplate<String, Object> template = new RedisTemplate<>();
    template.setConnectionFactory(jedisConnectionFactory());
    template.setKeySerializer(stringSerializer);
    template.setValueSerializer(objectSerializer);

    template.setHashKeySerializer(stringSerializer);
    template.setHashValueSerializer(objectSerializer);

    template.setEnableDefaultSerializer(true);
    template.afterPropertiesSet();

    return template;
}

This resolved my Fortify issue.

like image 132
viveknaskar Avatar answered Dec 12 '25 11:12

viveknaskar
Sign in to Comment

Related questions

Invalid env value with Quarkus RestClient property when create kubernetes deployment
java.lang.NoSuchMethodError: 'com.google.common.collect.ImmutableMap error when trying to execute tests using Chromedriver and Maven
Separate user interface from domain in java Swing
OSGI: is importing package without activating bundle possible?
Changing HttpURLConnection in running jvm
Java regex intersection with backreference
How to implement file icon overlay in java, the way, e.g., turtoisesvn or dropbox do
How to measure internet bandwidth
Why isn't Playframework custom validation message not displayed in template
Disabling a button inside an anonymous inner class
Cannot instantiate an anonymous class
Eclipse startup Error code=1?
Java regex for matching certain parts of JSON substrings
Comparing an array index to a String?
Java web start fails to start - JRE 7 32 bit (running on 64 bit windows system)
Multi IDE version controlled Java project - Is it possible to do it seamlessly?
Android: Pause/Resume Timer OR Thread
Spring boot and tomcat
Passing in-memory data to an R script to create a model
How to create an `Instances` in Weka from a `List<Instance>`?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!