Hi everyone, We use Java serialization and deserialization a lot in Iceberg. I wonder if we have considered the potential of Java deserialization attack, where an attacker can replace serialized bytes to execute arbitrary code through the readObject method.
Currently our SerializationUtil.deserializeFromBytes directly converts bytes to an ObjectInputStream. I know Apache commons have ValidatingObjectInputStream which can prevent the issue to some extent. Have we thought about this issue in the past? Are there any other suggestions? Best, Jack Ye
