Serialization protection methods in Bamboo

For security/compatibility reasons, you can control the way Java classes are filtered during deserialisation. This is particularly important for agent-server communication.

The filtering can be either whitelist- or blacklist-based.

The whitelist is the only recommended option for XStream serialisation. Blacklist (the former default) is scheduled for removal and should only be considered as a temporary fix in case of problems with the whitelist.

 

You can disable serialization security completely by setting the bamboo.security.serialization.disable system property. This is not recommended for security reasons.

You can set up the serialization protection methods in Bamboo administration > Security > Security settings.

SerializationDescriptionOptions
XStreamAgent - server messaging
  • whitelist (default)
  • blacklist (insecure) 
  • strict blacklist (insecure) 
BandanaBamboo custom storage mechanism that can be used by plugins
  • blacklist
  • strict blacklist (default)

Overview of options

The recommended option: whitelist

Whitelist has three sources:

  • bundled with Bamboo (can't be modified),
  • a list of whitelisted classes can be added into Bamboo home directory,
  • plugin vendors can define certain classes as allowed.

A whitelist has higher priority than a blacklist. If a class is blacklisted by Bamboo, but is whitelisted anywhere (by a plugin or via bamboo home directory settings), then even if we're using the blacklist security setting, the class will still be allowed to be serialized/deserialized.

For more information about how to add classes to the whitelist or implement a plugin module, see Bamboo developer documentation.

Blacklist (insecure)

Blacklists are provided by Bamboo and can't be modified by plugin vendors or administrators.

Strict blacklist (insecure)

Strict blacklist restricts a bit more classes then the blacklist. Nevertheless, it's still considered insecure and it can cause problems with some of the plugins.

Last modified on Jul 1, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.