de.huxhorn.lilith.engine.impl.eventproducer

Class WhitelistObjectInputStream

java.lang.Object

java.io.InputStream

java.io.ObjectInputStream

de.huxhorn.lilith.engine.impl.eventproducer.WhitelistObjectInputStream

All Implemented Interfaces:

java.io.Closeable, java.io.DataInput, java.io.ObjectInput, java.io.ObjectStreamConstants, java.lang.AutoCloseable

public class WhitelistObjectInputStream
extends java.io.ObjectInputStream

Implementation of ObjectInputStream that only allows classes given during creation. See - https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread - http://www.ibm.com/developerworks/library/se-lookahead/ - http://frohoff.github.io/appseccali-marshalling-pickles/ - https://www.youtube.com/watch?v=KSA7vUkXGSg

Nested Class Summary

Nested classes/interfaces inherited from class java.io.ObjectInputStream

java.io.ObjectInputStream.GetField

Field Summary

Fields inherited from interface java.io.ObjectStreamConstants

baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING

Constructor Summary

Constructors

Constructor and Description
WhitelistObjectInputStream(java.io.InputStream in, java.util.Set<java.lang.String> whitelist) Creates a WhitelistObjectInputStream with copyMap = false and dryRunning = false.
WhitelistObjectInputStream(java.io.InputStream in, java.util.Set<java.lang.String> whitelist, boolean copySet) Creates a WhitelistObjectInputStream with dryRunning = false.
WhitelistObjectInputStream(java.io.InputStream in, java.util.Set<java.lang.String> whitelist, boolean copySet, boolean dryRunning)

Method Summary

Modifier and Type	Method and Description
java.util.Set<java.lang.String>	getUnauthorized()
java.util.Set<java.lang.String>	getWhitelist()
boolean	isDryRunning()
protected java.lang.Class<?>	resolveClass(java.io.ObjectStreamClass desc) Only deserialize instances of our classes contained in whitelist.
java.lang.String	toString()

Methods inherited from class java.io.ObjectInputStream

available, close, defaultReadObject, enableResolveObject, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, skipBytes

Methods inherited from class java.io.InputStream

mark, markSupported, read, reset, skip

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface java.io.ObjectInput

read, skip

Constructor Detail

WhitelistObjectInputStream

public WhitelistObjectInputStream(java.io.InputStream in,
                                  java.util.Set<java.lang.String> whitelist)
                           throws java.io.IOException

Creates a WhitelistObjectInputStream with copyMap = false and dryRunning = false.

Parameters:

in - the InputStream.

whitelist - whitelist of classes that may be deserialized.

Throws:

java.io.IOException - if an I/O error occurs while reading stream header

WhitelistObjectInputStream

public WhitelistObjectInputStream(java.io.InputStream in,
                                  java.util.Set<java.lang.String> whitelist,
                                  boolean copySet)
                           throws java.io.IOException

Creates a WhitelistObjectInputStream with dryRunning = false.

Parameters:

in - the InputStream.

whitelist - whitelist of classes that may be deserialized.

copySet - whether or not the given whitelist should be copied defensively.

Throws:

java.io.IOException - if an I/O error occurs while reading stream header

WhitelistObjectInputStream

public WhitelistObjectInputStream(java.io.InputStream in,
                                  java.util.Set<java.lang.String> whitelist,
                                  boolean copySet,
                                  boolean dryRunning)
                           throws java.io.IOException

Parameters:

in - the InputStream.

whitelist - whitelist of classes that may be deserialized.

copySet - whether or not the given whitelist should be copied defensively.

dryRunning - if true, only warnings are logged but classes are serialized anyway.

Throws:

java.io.IOException - if an I/O error occurs while reading stream header

Method Detail

resolveClass

protected java.lang.Class<?> resolveClass(java.io.ObjectStreamClass desc)
                                   throws java.io.IOException,
                                          java.lang.ClassNotFoundException

Only deserialize instances of our classes contained in whitelist.

Overrides:

resolveClass in class java.io.ObjectInputStream

Throws:

java.io.IOException

java.lang.ClassNotFoundException

getUnauthorized

public java.util.Set<java.lang.String> getUnauthorized()

isDryRunning

public boolean isDryRunning()

getWhitelist

public java.util.Set<java.lang.String> getWhitelist()

toString

public java.lang.String toString()

Overrides:

toString in class java.lang.Object