• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

tomdesair / tus-java-server / 28397616235
95%

Build:
DEFAULT BRANCH: master
Ran 29 Jun 2026 07:36PM UTC
Jobs 1
Files 92
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

29 Jun 2026 07:34PM UTC coverage: 95.129% (+0.004%) from 95.125%
28397616235

push

github

web-flow
🛡️ Sentinel: [CRITICAL] Fix insecure deserialization (#97)

* 🛡️ Sentinel: [CRITICAL] Fix insecure deserialization

🚨 Severity: CRITICAL
💡 Vulnerability: ObjectInputStream was used without restriction to deserialize objects from a file on disk. This is a potential risk for arbitrary code execution if an attacker is able to upload a maliciously crafted serialized object.
🎯 Impact: Remote code execution (RCE)
🔧 Fix: Replaced ObjectInputStream with ValidatingObjectInputStream (from commons-io) to explicitly allow-list accepted classes (`java.lang.*`, `java.util.*`, `me.desair.tus.server.*`).
✅ Verification: Ran unit tests and ensured that existing object serialization and deserialization functions correctly without regressions.

Co-authored-by: tomdesair <14034630+tomdesair@users.noreply.github.com>

* 🛡️ Sentinel: [CRITICAL] Fix insecure deserialization

🚨 Severity: CRITICAL
💡 Vulnerability: ObjectInputStream was used without restriction to deserialize objects from a file on disk. This is a potential risk for arbitrary code execution if an attacker is able to upload a maliciously crafted serialized object.
🎯 Impact: Remote code execution (RCE)
🔧 Fix: Replaced ObjectInputStream with ValidatingObjectInputStream (from commons-io) to explicitly allow-list accepted classes (`java.lang.*`, `java.util.*`, `me.desair.tus.server.*`). Also added a unit test to ensure that malicious classes are not deserialized.
✅ Verification: Ran unit tests and ensured that existing object serialization and deserialization functions correctly without regressions, while attempting to deserialize an unlisted class returns null.

Co-authored-by: tomdesair <14034630+tomdesair@users.noreply.github.com>

* Add unit test for validating object input stream

Co-authored-by: tomdesair <14034630+tomdesair@users.noreply.github.com>

* 🛡️ Sentinel: [CRITICAL] Fix insecure deserialization

🚨 Severity: CRITICAL
💡 Vulnerability: ObjectInputStream was used without restriction to deserialize obje... (continued)

622 of 700 branches covered (88.86%)

Branch coverage included in aggregate %.

3 of 3 new or added lines in 1 file covered. (100.0%)

1819 of 1866 relevant lines covered (97.48%)

6.59 hits per line

Jobs
ID Job ID Ran Files Coverage
1 28397616235.1 29 Jun 2026 07:36PM UTC 184
83.94
GitHub Action Run
Source Files on build 28397616235
  • Tree
  • List 92
  • Changed 47
  • Source Changed 1
  • Coverage Changed 47
Coverage ∆ File Lines Relevant Covered Missed Hits/Line Branch Hits Branch Misses
  • Back to Repo
  • Github Actions Build #28397616235
  • 09ef3080 on github
  • Prev Build on master (#28397411854)
  • Next Build on master (#28397983898)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc