It’s funny that no amount of (Rust-like) compile time or (Java-like) runtime checks would have prevented this — every line of code is working as intended. The parallels to the recent Log4J vulnerability are evident.
If you happen to think, as I do, that we need safe(r) languages to have any hope of creating secure systems, then problems like these are a striking reminder that memory safety alone isn’t sufficient to achieve security.
The problem is historical serialization APIs that date to before people really thought about deserialising as an attack vector. All the big/enterprises serialization APIs of the era made the same mistake (and later on added layers to allow the developer to limit the set of classes that could be instantiated)
Modern serialization frameworks all seem to have moved to a no-polymorphic instantiations model. Eg when deserialising a field of type X, they will only deserialise into an X.
If you happen to think, as I do, that we need safe(r) languages to have any hope of creating secure systems, then problems like these are a striking reminder that memory safety alone isn’t sufficient to achieve security.