From 40259d6c88c3b7025522530a4ea3f16fb34377dc Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com>
Date: Mon, 10 Feb 2025 03:25:25 +0000
Subject: [PATCH] Introduced protections against deserialization attacks

---
 .../main/java/com/nextcloud/android/sso/InputStreamBinder.java  | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app/src/main/java/com/nextcloud/android/sso/InputStreamBinder.java b/app/src/main/java/com/nextcloud/android/sso/InputStreamBinder.java
index 22195227bbad..9a780027ac4e 100644
--- a/app/src/main/java/com/nextcloud/android/sso/InputStreamBinder.java
+++ b/app/src/main/java/com/nextcloud/android/sso/InputStreamBinder.java
@@ -28,6 +28,7 @@
 import com.owncloud.android.lib.common.OwnCloudClientManagerFactory;
 import com.owncloud.android.lib.common.utils.Log_OC;
 import com.owncloud.android.utils.EncryptionUtils;
+import io.github.pixee.security.ObjectInputFilters;
 
 import org.apache.commons.httpclient.HttpConnection;
 import org.apache.commons.httpclient.HttpMethodBase;
@@ -208,6 +209,7 @@ private <T extends Serializable> ByteArrayInputStream serializeObjectToInputStre
     private <T extends Serializable> T deserializeObjectAndCloseStream(InputStream is) throws IOException,
         ClassNotFoundException {
         ObjectInputStream ois = new ObjectInputStream(is);
+        ObjectInputFilters.enableObjectFilterIfUnprotected(ois);
         T result = (T) ois.readObject();
         is.close();
         ois.close();