• Home
• org.apache.activemq
• activemq-all
• 5.16.4
• source code
• HardenedObjectInputStream.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.apache.log4j.net.HardenedObjectInputStream Maven / Gradle / Ivy

/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 * 
 *      http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.log4j.net;

import java.io.IOException;
import java.io.InputStream;
import java.io.InvalidClassException;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;
import java.util.ArrayList;
import java.util.List;

/**
 * HardenedObjectInputStream restricts the set of classes that can be
 * deserialized to a set of explicitly whitelisted classes. This prevents
 * certain type of attacks from being successful.
 * 
 * 

 * It is assumed that classes in the "java.lang" and "java.util" packages are
 * always authorized.
 * 
 * 
 * @author Ceki Gülcü
 * @since 1.2.18
 * 
 *        === Copied from the logback project with permission ==
 */
public class HardenedObjectInputStream extends ObjectInputStream {

    static final String ARRAY_CLASS_PREFIX = "[L";
    final List whitelistedClassNames;
    final static String[] JAVA_PACKAGES = new String[] { "java.lang", "java.util", ARRAY_CLASS_PREFIX + "java.lang" };

    public HardenedObjectInputStream(InputStream in, String[] whilelist) throws IOException {
	super(in);

	this.whitelistedClassNames = new ArrayList();
	if (whilelist != null) {
	    for (int i = 0; i < whilelist.length; i++) {
		this.whitelistedClassNames.add(whilelist[i]);
	    }
	}
    }

    public HardenedObjectInputStream(InputStream in, List whitelist) throws IOException {
	super(in);

	this.whitelistedClassNames = new ArrayList();
	this.whitelistedClassNames.addAll(whitelist);
    }

    @Override
    protected Class resolveClass(ObjectStreamClass anObjectStreamClass) throws IOException, ClassNotFoundException {

	String incomingClassName = anObjectStreamClass.getName();

	if (!isWhitelisted(incomingClassName)) {
	    throw new InvalidClassException("Unauthorized deserialization attempt", incomingClassName);
	}

	return super.resolveClass(anObjectStreamClass);
    }

    private boolean isWhitelisted(String incomingClassName) {
	for (int i = 0; i < JAVA_PACKAGES.length; i++) {
	    if (incomingClassName.startsWith(JAVA_PACKAGES[i]))
		return true;
	}
	for (String whiteListed : whitelistedClassNames) {
	    if (incomingClassName.equals(whiteListed))
		return true;
	}
	return false;
    }

    protected void addToWhitelist(List additionalAuthorizedClasses) {
	whitelistedClassNames.addAll(additionalAuthorizedClasses);
    }
}