Package ch.qos.logback.core.net

Class HardenedObjectInputStream

java.lang.Object

java.io.InputStream

java.io.ObjectInputStream

ch.qos.logback.core.net.HardenedObjectInputStream

All Implemented Interfaces:

Closeable, DataInput, ObjectInput, ObjectStreamConstants, AutoCloseable

Direct Known Subclasses:

HardenedAccessEventInputStream, HardenedLoggingEventInputStream

public class HardenedObjectInputStream
extends ObjectInputStream

HardenedObjectInputStream restricts the set of classes that can be deserialized to a set of explicitly whitelisted classes. This prevents certain type of attacks from being successful.

It is assumed that classes in the "java.lang" and "java.util" packages are always authorized.

Since:

1.2.0

Nested Class Summary

Nested classes/interfaces inherited from class java.io.ObjectInputStream

ObjectInputStream.GetField

Field Summary

Fields

Modifier and Type	Field	Description
private static final int	ARRAY_LIMIT
private static final int	DEPTH_LIMIT
(package private) static final String[]	JAVA_PACKAGES
(package private) final List<String>	whitelistedClassNames

Fields inherited from interface java.io.ObjectStreamConstants

baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING

Constructor Summary

Constructors

Constructor	Description
HardenedObjectInputStream(InputStream in, String[] whilelist)
HardenedObjectInputStream(InputStream in, List<String> whitelist)

Method Summary

Modifier and Type	Method	Description
protected void	addToWhitelist(List<String> additionalAuthorizedClasses)
private void	initObjectFilter()
private boolean	isWhitelisted(String incomingClassName)
protected Class<?>	resolveClass(ObjectStreamClass anObjectStreamClass)

Methods inherited from class java.io.ObjectInputStream

available, close, defaultReadObject, enableResolveObject, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, skipBytes

Methods inherited from class java.io.InputStream

mark, markSupported, read, reset, skip

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface java.io.ObjectInput

read, skip

Field Details

whitelistedClassNames

final List<String> whitelistedClassNames

JAVA_PACKAGES

static final String[] JAVA_PACKAGES

DEPTH_LIMIT

private static final int DEPTH_LIMIT

See Also:

• Constant Field Values

ARRAY_LIMIT

private static final int ARRAY_LIMIT

See Also:

• Constant Field Values

Constructor Details

HardenedObjectInputStream

public HardenedObjectInputStream(InputStream in,
 String[] whilelist)
                          throws IOException

Throws:

IOException

HardenedObjectInputStream

public HardenedObjectInputStream(InputStream in,
 List<String> whitelist)
                          throws IOException

Throws:

IOException

Method Details

initObjectFilter

private void initObjectFilter()

resolveClass

protected Class<?> resolveClass(ObjectStreamClass anObjectStreamClass)
                         throws IOException,
ClassNotFoundException

Overrides:

resolveClass in class ObjectInputStream

Throws:

IOException

ClassNotFoundException

isWhitelisted

private boolean isWhitelisted(String incomingClassName)

addToWhitelist

protected void addToWhitelist(List<String> additionalAuthorizedClasses)