Package ch.qos.logback.core.net
Class HardenedObjectInputStream
- java.lang.Object
-
- java.io.InputStream
-
- java.io.ObjectInputStream
-
- ch.qos.logback.core.net.HardenedObjectInputStream
-
- All Implemented Interfaces:
java.io.Closeable
,java.io.DataInput
,java.io.ObjectInput
,java.io.ObjectStreamConstants
,java.lang.AutoCloseable
- Direct Known Subclasses:
HardenedAccessEventInputStream
,HardenedLoggingEventInputStream
public class HardenedObjectInputStream extends java.io.ObjectInputStream
HardenedObjectInputStream restricts the set of classes that can be deserialized to a set of explicitly whitelisted classes. This prevents certain type of attacks from being successful.It is assumed that classes in the "java.lang" and "java.util" packages are always authorized.
- Since:
- 1.2.0
- Author:
- Ceki Gülcü
-
-
Field Summary
-
Fields inherited from interface java.io.ObjectStreamConstants
baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, SERIAL_FILTER_PERMISSION, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING
-
-
Constructor Summary
Constructors Constructor Description HardenedObjectInputStream(java.io.InputStream in, java.lang.String[] whilelist)
HardenedObjectInputStream(java.io.InputStream in, java.util.List<java.lang.String> whitelist)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected void
addToWhitelist(java.util.List<java.lang.String> additionalAuthorizedClasses)
protected java.lang.Class<?>
resolveClass(java.io.ObjectStreamClass anObjectStreamClass)
-
Methods inherited from class java.io.ObjectInputStream
available, close, defaultReadObject, enableResolveObject, getObjectInputFilter, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, setObjectInputFilter, skipBytes
-
Methods inherited from class java.io.InputStream
mark, markSupported, nullInputStream, read, readAllBytes, readNBytes, readNBytes, reset, skip, transferTo
-
-
-
-
Constructor Detail
-
HardenedObjectInputStream
public HardenedObjectInputStream(java.io.InputStream in, java.lang.String[] whilelist) throws java.io.IOException
- Throws:
java.io.IOException
-
HardenedObjectInputStream
public HardenedObjectInputStream(java.io.InputStream in, java.util.List<java.lang.String> whitelist) throws java.io.IOException
- Throws:
java.io.IOException
-
-
Method Detail
-
resolveClass
protected java.lang.Class<?> resolveClass(java.io.ObjectStreamClass anObjectStreamClass) throws java.io.IOException, java.lang.ClassNotFoundException
- Overrides:
resolveClass
in classjava.io.ObjectInputStream
- Throws:
java.io.IOException
java.lang.ClassNotFoundException
-
addToWhitelist
protected void addToWhitelist(java.util.List<java.lang.String> additionalAuthorizedClasses)
-
-