• Home
• com.hazelcast
• hazelcast
• 4.0.1
• source code
• SerializationClassNameFilter.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

com.hazelcast.internal.serialization.SerializationClassNameFilter Maven / Gradle / Ivy

/*
 * Copyright (c) 2008-2020, Hazelcast, Inc. All Rights Reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.hazelcast.internal.serialization;

import com.hazelcast.config.ClassFilter;
import com.hazelcast.config.JavaSerializationFilterConfig;
import com.hazelcast.internal.util.Preconditions;
import com.hazelcast.nio.serialization.ClassNameFilter;

import static java.lang.String.format;

/**
 * Implementation of basic protection against untrusted deserialization. It holds blacklist and whitelist with classnames and
 * package names.
 *
 * @see #filter(String)
 */
public final class SerializationClassNameFilter implements ClassNameFilter {

    private static final String DESERIALIZATION_ERROR = "Resolving class %s is not allowed.";
    private static final ClassFilter DEFAULT_WHITELIST;

    private final ClassFilter blacklist;
    private final ClassFilter whitelist;
    private final boolean useDefaultWhitelist;

    public SerializationClassNameFilter(JavaSerializationFilterConfig config) {
        Preconditions.checkNotNull(config, "JavaSerializationFilterConfig has to be provided");
        blacklist = config.getBlacklist();
        whitelist = config.getWhitelist();
        useDefaultWhitelist = !config.isDefaultsDisabled();
    }

    /**
     * Throws {@link SecurityException} if the given class name appears on the blacklist or does not appear a whitelist.
     *
     * @param className class name to check
     * @throws SecurityException if the classname is not allowed for deserialization
     */
    public void filter(String className) throws SecurityException {
        if (blacklist.isListed(className)) {
            throw new SecurityException(format(DESERIALIZATION_ERROR, className));
        }
        // if whitelisting is enabled (either explicit or as a default whitelist), force the whitelist check
        if (useDefaultWhitelist || !whitelist.isEmpty()) {
            if (whitelist.isListed(className)
                    || (useDefaultWhitelist && DEFAULT_WHITELIST.isListed(className))) {
                return;
            }
            throw new SecurityException(format(DESERIALIZATION_ERROR, className));
        }
    }

    static {
        DEFAULT_WHITELIST = new ClassFilter();
        DEFAULT_WHITELIST.addPrefixes("com.hazelcast.", "java", "[");
    }
}