Change DefaultExecutionContextSerializer to produce Base64

The `DefaultExecutionContextSerializer` uses `DefaultSerializer` and `DefaultDeserializer` from Spring Framework which are both based on Java's built-in object serialization/deserialization mechanisms. Java's object serialization is known to be vulnerable and its usage in SF will be deprecated in v6. Here is an excerpt from [SerializationUtils](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/util/SerializationUtils.html) javadocs:

```
This utility will be deprecated in Spring Framework 6.0 since it uses Java Object Serialization, which allows
arbitrary code to be run and is known for being the source of many Remote Code Execution (RCE) vulnerabilities.
Prefer the use of an external tool (that serializes to JSON, XML, or any other format) which is regularly
checked and updated for not allowing RCE.
```

The default serializer should be updated to produce/consume Base64 content.

---
Related resources:
* [JEP 290: Filter Incoming Serialization Data](https://openjdk.org/jeps/290)
* [JEP 415: Context-Specific Deserialization Filters](https://openjdk.org/jeps/415)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Change DefaultExecutionContextSerializer to produce Base64 #4122

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Change DefaultExecutionContextSerializer to produce Base64 #4122

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions