[MGNLCACHE-314] DOCS: Describe how to configure whitelistedKeyClasses Created: 09/Aug/23  Updated: 10/Aug/23

Status: Open
Project: Cache Modules
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Neutral
Reporter: Oanh Thai Hoang Assignee: Martin Drápela
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File whitelistedKeyClasses.png    
Issue Links:
Relates
documentation
documents MGNLCACHE-165 CacheEndpoint is potentially vulnerab... Closed
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Date of First Response:

 Description   

On https://docs.magnolia-cms.com/product-docs/6.2/Modules/List-of-modules/Cache-modules/Cache-Tools-app.html

expand the note: 
NOTE: To mitigate attacks against deserializers, the app only deserializes trusted data.

 

 

DRAFT: 

Simply make whitelistedKeyClasses configurable in /modules/cache-browser-app/config/whitelistedKeyClasses and user only has to populate the whitelisted classes to be serialized by the endpoint and cache app via info.magnolia.cache.browser.CacheBrowserAppModule. So we can prevent unwanted class is tried to be deserialized and thus execution of malicious code.

 


Generated at Sun Feb 11 23:54:14 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.