##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regex_assembly/.

##! Detects base64-encoded Java class names commonly used in
##! deserialization attacks. Each keyword has 3 base64 variants
##! to account for byte alignment (offset 0, 1, 2) within the
##! base64 stream.
##!
##! Keywords:
##!   runtime, processbuilder, clonetransformer, forclosure,
##!   instantiatefactory, instantiatetransformer,
##!   invokertransformer, prototypeclonefactory,
##!   prototypeserializationfactory, whileclosure
##!
##! Base64 variants are generated by:
##!   for padding in range(3):
##!     base64(b'\x00' * padding + keyword)[padding:]

##! runtime
cnVudGltZQ
HJ1bnRpbWU
BydW50aW1l
##! processbuilder
cHJvY2Vzc2J1aWxkZXI
HByb2Nlc3NidWlsZGVy
Bwcm9jZXNzYnVpbGRlcg
##! clonetransformer
Y2xvbmV0cmFuc2Zvcm1lcg
GNsb25ldHJhbnNmb3JtZXI
BjbG9uZXRyYW5zZm9ybWVy
##! forclosure
Zm9yY2xvc3VyZQ
GZvcmNsb3N1cmU
Bmb3JjbG9zdXJl
##! instantiatefactory
aW5zdGFudGlhdGVmYWN0b3J5
Gluc3RhbnRpYXRlZmFjdG9yeQ
BpbnN0YW50aWF0ZWZhY3Rvcnk
##! instantiatetransformer
aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg
Gluc3RhbnRpYXRldHJhbnNmb3JtZXI
BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy
##! invokertransformer
aW52b2tlcnRyYW5zZm9ybWVy
Gludm9rZXJ0cmFuc2Zvcm1lcg
BpbnZva2VydHJhbnNmb3JtZXI
##! prototypeclonefactory
cHJvdG90eXBlY2xvbmVmYWN0b3J5
HByb3RvdHlwZWNsb25lZmFjdG9yeQ
Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk
##! prototypeserializationfactory
cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk
HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5
Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ
##! whileclosure
d2hpbGVjbG9zdXJl
HdoaWxlY2xvc3VyZQ
B3aGlsZWNsb3N1cmU