Package ch.qos.logback.core.net
Class HardenedObjectInputStream
- java.lang.Object
-
- java.io.InputStream
-
- java.io.ObjectInputStream
-
- ch.qos.logback.core.net.HardenedObjectInputStream
-
- All Implemented Interfaces:
java.io.Closeable,java.io.DataInput,java.io.ObjectInput,java.io.ObjectStreamConstants,java.lang.AutoCloseable
- Direct Known Subclasses:
HardenedAccessEventInputStream,HardenedLoggingEventInputStream
public class HardenedObjectInputStream extends java.io.ObjectInputStreamHardenedObjectInputStream restricts the set of classes that can be deserialized to a set of explicitly whitelisted classes. This prevents certain type of attacks from being successful.It is assumed that classes in the "java.lang" and "java.util" packages are always authorized.
- Since:
- 1.2.0
-
-
Field Summary
Fields Modifier and Type Field Description private static intARRAY_LIMITprivate static intDEPTH_LIMIT(package private) static java.lang.String[]JAVA_PACKAGES(package private) java.util.List<java.lang.String>whitelistedClassNames-
Fields inherited from interface java.io.ObjectStreamConstants
baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING
-
-
Constructor Summary
Constructors Constructor Description HardenedObjectInputStream(java.io.InputStream in, java.lang.String[] whilelist)HardenedObjectInputStream(java.io.InputStream in, java.util.List<java.lang.String> whitelist)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected voidaddToWhitelist(java.util.List<java.lang.String> additionalAuthorizedClasses)private voidinitObjectFilter()private booleanisWhitelisted(java.lang.String incomingClassName)protected java.lang.Class<?>resolveClass(java.io.ObjectStreamClass anObjectStreamClass)-
Methods inherited from class java.io.ObjectInputStream
available, close, defaultReadObject, enableResolveObject, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, skipBytes
-
-
-
-
Field Detail
-
whitelistedClassNames
final java.util.List<java.lang.String> whitelistedClassNames
-
JAVA_PACKAGES
static final java.lang.String[] JAVA_PACKAGES
-
DEPTH_LIMIT
private static final int DEPTH_LIMIT
- See Also:
- Constant Field Values
-
ARRAY_LIMIT
private static final int ARRAY_LIMIT
- See Also:
- Constant Field Values
-
-
Constructor Detail
-
HardenedObjectInputStream
public HardenedObjectInputStream(java.io.InputStream in, java.lang.String[] whilelist) throws java.io.IOException- Throws:
java.io.IOException
-
HardenedObjectInputStream
public HardenedObjectInputStream(java.io.InputStream in, java.util.List<java.lang.String> whitelist) throws java.io.IOException- Throws:
java.io.IOException
-
-
Method Detail
-
initObjectFilter
private void initObjectFilter()
-
resolveClass
protected java.lang.Class<?> resolveClass(java.io.ObjectStreamClass anObjectStreamClass) throws java.io.IOException, java.lang.ClassNotFoundException- Overrides:
resolveClassin classjava.io.ObjectInputStream- Throws:
java.io.IOExceptionjava.lang.ClassNotFoundException
-
isWhitelisted
private boolean isWhitelisted(java.lang.String incomingClassName)
-
addToWhitelist
protected void addToWhitelist(java.util.List<java.lang.String> additionalAuthorizedClasses)
-
-