ch.qos.logback.core.net.HardenedObjectInputStream

All Implemented Interfaces:: Closeable, DataInput, ObjectInput, ObjectStreamConstants, AutoCloseable

Direct Known Subclasses:: HardenedLoggingEventInputStream, HardenedModelInputStream

public class HardenedObjectInputStream extends ObjectInputStream

HardenedObjectInputStream restricts the set of classes that can be deserialized to a set of explicitly whitelisted classes. This prevents certain type of attacks from being successful.

It is assumed that classes in the "java.lang" and "java.util" packages are always authorized.

Since:: 1.2.0
Author:: Ceki Gülcü

Nested Class Summary

Nested classes/interfaces inherited from class java.io.ObjectInputStream
ObjectInputStream.GetField
Field Summary

Fields inherited from interface java.io.ObjectStreamConstants
baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, SERIAL_FILTER_PERMISSION, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING
Constructor Summary

Constructors

Constructor

Description

HardenedObjectInputStream(InputStream in, String[] whitelist)

HardenedObjectInputStream(InputStream in, List<String> whitelist)
Method Summary

Modifier and Type

Method

Description

protected void

addToWhitelist(List<String> additionalAuthorizedClasses)

protected Class<?>

resolveClass(ObjectStreamClass anObjectStreamClass)

Methods inherited from class java.io.ObjectInputStream
available, close, defaultReadObject, enableResolveObject, getObjectInputFilter, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, setObjectInputFilter, skipBytes

Methods inherited from class java.io.InputStream
mark, markSupported, nullInputStream, read, readAllBytes, readNBytes, readNBytes, reset, skip, transferTo

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface java.io.ObjectInput
read, skip

Constructor Details
- HardenedObjectInputStream
  
  public HardenedObjectInputStream(InputStream in, String[] whitelist) throws IOException
  
  Throws:
  
  IOException
- HardenedObjectInputStream
  
  public HardenedObjectInputStream(InputStream in, List<String> whitelist) throws IOException
  
  Throws:
  
  IOException
Method Details
- resolveClass
  
  protected Class<?> resolveClass(ObjectStreamClass anObjectStreamClass) throws IOException, ClassNotFoundException
  
  Overrides:
  
  resolveClass in class ObjectInputStream
  
  Throws:
  
  IOException
  
  ClassNotFoundException
- addToWhitelist
  
  protected void addToWhitelist(List<String> additionalAuthorizedClasses)

Class HardenedObjectInputStream

Nested Class Summary

Nested classes/interfaces inherited from class java.io.ObjectInputStream

Field Summary

Fields inherited from interface java.io.ObjectStreamConstants

Constructor Summary

Method Summary

Methods inherited from class java.io.ObjectInputStream

Methods inherited from class java.io.InputStream

Methods inherited from class java.lang.Object

Methods inherited from interface java.io.ObjectInput

Constructor Details

HardenedObjectInputStream

HardenedObjectInputStream

Method Details

resolveClass

addToWhitelist