ch.qos.logback.core.net.HardenedObjectInputStream

All Implemented Interfaces:: Closeable, DataInput, ObjectInput, ObjectStreamConstants, AutoCloseable

Direct Known Subclasses:: HardenedLoggingEventInputStream

public class HardenedObjectInputStream extends ObjectInputStream

HardenedObjectInputStream restricts the set of classes that can be deserialized to a set of explicitly whitelisted classes. This prevents certain type of attacks from being successful.

It is assumed that classes in the "java.lang" and "java.util" packages are always authorized.

Since:: 1.2.0
Author:: Ceki Gülcü

Nested Class Summary

Nested classes/interfaces inherited from class ObjectInputStream
ObjectInputStream.GetField
Field Summary

Fields inherited from interface ObjectStreamConstants
baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, SERIAL_FILTER_PERMISSION, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING
Constructor Summary

Constructors

Constructor

Description

HardenedObjectInputStream(InputStream in, String[] whitelist)

HardenedObjectInputStream(InputStream in, List<String> whitelist)
Method Summary

Modifier and Type

Method

Description

protected void

addToWhitelist(List<String> additionalAuthorizedClasses)

protected Class<?>

resolveClass(ObjectStreamClass anObjectStreamClass)

Methods inherited from class ObjectInputStream
available, close, defaultReadObject, enableResolveObject, getObjectInputFilter, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, setObjectInputFilter, skipBytes

Methods inherited from class InputStream
mark, markSupported, nullInputStream, read, readAllBytes, readNBytes, readNBytes, reset, skip, transferTo

Methods inherited from class Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface ObjectInput
read, skip

Constructor Details
- HardenedObjectInputStream
  
  public HardenedObjectInputStream(InputStream in, String[] whitelist) throws IOException
  
  Throws:
  
  IOException
- HardenedObjectInputStream
  
  public HardenedObjectInputStream(InputStream in, List<String> whitelist) throws IOException
  
  Throws:
  
  IOException
Method Details
- resolveClass
  
  protected Class<?> resolveClass(ObjectStreamClass anObjectStreamClass) throws IOException, ClassNotFoundException
  
  Overrides:
  
  resolveClass in class ObjectInputStream
  
  Throws:
  
  IOException
  
  ClassNotFoundException
- addToWhitelist
  
  protected void addToWhitelist(List<String> additionalAuthorizedClasses)

Class HardenedObjectInputStream

Nested Class Summary

Nested classes/interfaces inherited from class ObjectInputStream

Field Summary

Fields inherited from interface ObjectStreamConstants

Constructor Summary

Method Summary

Methods inherited from class ObjectInputStream

Methods inherited from class InputStream

Methods inherited from class Object

Methods inherited from interface ObjectInput

Constructor Details

HardenedObjectInputStream

HardenedObjectInputStream

Method Details

resolveClass

addToWhitelist