Prevent leakage of local ysoserial path

When using remote-method-guessers ysoserial integration, gadget objects created by ysoserial were annotated by the marshaloutput stream. This annotation included the absoulte file system path of the ysoserial library, which represents a low impact information disclosure. Since remote-method-guesser already overrides the default RMIClassLoader, this behavior was now changed by always returning null as result of the getClassAnnotation method.
qtc-de · Nov 7, 2023 · e30f52c · e30f52c
1 parent cb150ad
commit e30f52c
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/src/de/qtc/rmg/internal/CodebaseCollector.java b/src/de/qtc/rmg/internal/CodebaseCollector.java
@@ -190,10 +190,14 @@ public ClassLoader getClassLoader(String codebase) throws MalformedURLException
      * function to return the codebase only supports String types. The currently selected approach
      * of rmg (which is the MaliciousOutputStream class) allows arbitrary objects and is therefore
      * more flexible.
+     *
+     * Since version v4.5.0, this function always returns null instead of invoking the original loaders
+     * getClassAnnotation method. This was changed, as the original loaders getClassAnnotation method
+     * leaked the local ysoserial path when using remote-method-guessers ysoserial integration.
      */
     public String getClassAnnotation(Class<?> cl)
     {
-        return originalLoader.getClassAnnotation(cl);
+        return null;
     }
 
     /**