All Downloads are FREE. Search and download functionalities are using the official Maven repository.

ch.qos.logback.core.net.HardenedObjectInputStream Maven / Gradle / Ivy

There is a newer version: 2.12.15
Show newest version
package ch.qos.logback.core.net;

import java.io.IOException;
import java.io.InputStream;
import java.io.InvalidClassException;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;
import java.util.ArrayList;
import java.util.List;

/**
 * HardenedObjectInputStream restricts the set of classes that can be deserialized to a set of 
 * explicitly whitelisted classes. This prevents certain type of attacks from being successful.
 * 
 * 

It is assumed that classes in the "java.lang" and "java.util" packages are * always authorized.

* * @author Ceki Gülcü * @since 1.2.0 */ public class HardenedObjectInputStream extends ObjectInputStream { final List whitelistedClassNames; final static String[] JAVA_PACKAGES = new String[] { "java.lang", "java.util" }; public HardenedObjectInputStream(InputStream in, String[] whilelist) throws IOException { super(in); this.whitelistedClassNames = new ArrayList(); if (whilelist != null) { for (int i = 0; i < whilelist.length; i++) { this.whitelistedClassNames.add(whilelist[i]); } } } public HardenedObjectInputStream(InputStream in, List whitelist) throws IOException { super(in); this.whitelistedClassNames = new ArrayList(); this.whitelistedClassNames.addAll(whitelist); } @Override protected Class resolveClass(ObjectStreamClass anObjectStreamClass) throws IOException, ClassNotFoundException { String incomingClassName = anObjectStreamClass.getName(); if (!isWhitelisted(incomingClassName)) { throw new InvalidClassException("Unauthorized deserialization attempt", anObjectStreamClass.getName()); } return super.resolveClass(anObjectStreamClass); } private boolean isWhitelisted(String incomingClassName) { for (int i = 0; i < JAVA_PACKAGES.length; i++) { if (incomingClassName.startsWith(JAVA_PACKAGES[i])) return true; } for (String whiteListed : whitelistedClassNames) { if (incomingClassName.equals(whiteListed)) return true; } return false; } protected void addToWhitelist(List additionalAuthorizedClasses) { whitelistedClassNames.addAll(additionalAuthorizedClasses); } }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy