From e30f52ca34d12bc6391ade65dd3e29995098ea4f Mon Sep 17 00:00:00 2001
From: Tobias Neitzel <tobias.neitzel@code-white.com>
Date: Tue, 7 Nov 2023 18:50:38 +0100
Subject: [PATCH] Prevent leakage of local ysoserial path

When using remote-method-guessers ysoserial integration, gadget objects
created by ysoserial were annotated by the marshaloutput stream. This
annotation included the absoulte file system path of the ysoserial
library, which represents a low impact information disclosure. Since
remote-method-guesser already overrides the default RMIClassLoader, this
behavior was now changed by always returning null as result of the
getClassAnnotation method.
---
 src/de/qtc/rmg/internal/CodebaseCollector.java | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/de/qtc/rmg/internal/CodebaseCollector.java b/src/de/qtc/rmg/internal/CodebaseCollector.java
index c02b9a1..c479c70 100644
--- a/src/de/qtc/rmg/internal/CodebaseCollector.java
+++ b/src/de/qtc/rmg/internal/CodebaseCollector.java
@@ -190,10 +190,14 @@ public ClassLoader getClassLoader(String codebase) throws MalformedURLException
      * function to return the codebase only supports String types. The currently selected approach
      * of rmg (which is the MaliciousOutputStream class) allows arbitrary objects and is therefore
      * more flexible.
+     *
+     * Since version v4.5.0, this function always returns null instead of invoking the original loaders
+     * getClassAnnotation method. This was changed, as the original loaders getClassAnnotation method
+     * leaked the local ysoserial path when using remote-method-guessers ysoserial integration.
      */
     public String getClassAnnotation(Class<?> cl)
     {
-        return originalLoader.getClassAnnotation(cl);
+        return null;
     }
 
     /**