View Javadoc
1   /**
2    * Logback: the reliable, generic, fast and flexible logging framework.
3    * Copyright (C) 1999-2022, QOS.ch. All rights reserved.
4    *
5    * This program and the accompanying materials are dual-licensed under
6    * either the terms of the Eclipse Public License v1.0 as published by
7    * the Eclipse Foundation
8    *
9    *   or (per the licensee's choosing)
10   *
11   * under the terms of the GNU Lesser General Public License version 2.1
12   * as published by the Free Software Foundation.
13   */
14  package ch.qos.logback.classic.net.server;
15  
16  import java.io.IOException;
17  import java.io.InputStream;
18  import java.util.ArrayList;
19  import java.util.List;
20  
21  import org.slf4j.helpers.BasicMarker;
22  
23  import ch.qos.logback.classic.Level;
24  import ch.qos.logback.classic.Logger;
25  import ch.qos.logback.classic.spi.ClassPackagingData;
26  import ch.qos.logback.classic.spi.IThrowableProxy;
27  import ch.qos.logback.classic.spi.LoggerContextVO;
28  import ch.qos.logback.classic.spi.LoggerRemoteView;
29  import ch.qos.logback.classic.spi.LoggingEventVO;
30  import ch.qos.logback.classic.spi.StackTraceElementProxy;
31  import ch.qos.logback.classic.spi.ThrowableProxy;
32  import ch.qos.logback.classic.spi.ThrowableProxyVO;
33  import ch.qos.logback.core.net.HardenedObjectInputStream;
34  
35  public class HardenedLoggingEventInputStream extends HardenedObjectInputStream {
36  
37      static final String ARRAY_PREFIX = "[L";
38  
39      static public List<String> getWhilelist() {
40          List<String> whitelist = new ArrayList<String>();
41          whitelist.add(LoggingEventVO.class.getName());
42          whitelist.add(LoggerContextVO.class.getName());
43          whitelist.add(LoggerRemoteView.class.getName());
44          whitelist.add(ThrowableProxyVO.class.getName());
45          whitelist.add(BasicMarker.class.getName());
46          whitelist.add(Level.class.getName());
47          whitelist.add(Logger.class.getName());
48          whitelist.add(StackTraceElement.class.getName());
49          whitelist.add(StackTraceElement[].class.getName());
50          whitelist.add(ThrowableProxy.class.getName());
51          whitelist.add(ThrowableProxy[].class.getName());
52          whitelist.add(IThrowableProxy.class.getName());
53          whitelist.add(IThrowableProxy[].class.getName());
54          whitelist.add(StackTraceElementProxy.class.getName());
55          whitelist.add(StackTraceElementProxy[].class.getName());
56          whitelist.add(ClassPackagingData.class.getName());
57  
58          return whitelist;
59      }
60  
61      public HardenedLoggingEventInputStream(InputStream is) throws IOException {
62          super(is, getWhilelist());
63      }
64  
65      public HardenedLoggingEventInputStream(InputStream is, List<String> additionalAuthorizedClasses)
66              throws IOException {
67          this(is);
68          super.addToWhitelist(additionalAuthorizedClasses);
69      }
70  }