001/** 002 * Logback: the reliable, generic, fast and flexible logging framework. 003 * Copyright (C) 1999-2022, QOS.ch. All rights reserved. 004 * 005 * This program and the accompanying materials are dual-licensed under 006 * either the terms of the Eclipse Public License v1.0 as published by 007 * the Eclipse Foundation 008 * 009 * or (per the licensee's choosing) 010 * 011 * under the terms of the GNU Lesser General Public License version 2.1 012 * as published by the Free Software Foundation. 013 */ 014package ch.qos.logback.classic.net.server; 015 016import java.io.IOException; 017import java.io.InputStream; 018import java.util.ArrayList; 019import java.util.List; 020 021import org.slf4j.helpers.BasicMarker; 022 023import ch.qos.logback.classic.Level; 024import ch.qos.logback.classic.Logger; 025import ch.qos.logback.classic.spi.ClassPackagingData; 026import ch.qos.logback.classic.spi.IThrowableProxy; 027import ch.qos.logback.classic.spi.LoggerContextVO; 028import ch.qos.logback.classic.spi.LoggerRemoteView; 029import ch.qos.logback.classic.spi.LoggingEventVO; 030import ch.qos.logback.classic.spi.StackTraceElementProxy; 031import ch.qos.logback.classic.spi.ThrowableProxy; 032import ch.qos.logback.classic.spi.ThrowableProxyVO; 033import ch.qos.logback.core.net.HardenedObjectInputStream; 034 035public class HardenedLoggingEventInputStream extends HardenedObjectInputStream { 036 037 static final String ARRAY_PREFIX = "[L"; 038 039 static public List<String> getWhilelist() { 040 List<String> whitelist = new ArrayList<String>(); 041 whitelist.add(LoggingEventVO.class.getName()); 042 whitelist.add(LoggerContextVO.class.getName()); 043 whitelist.add(LoggerRemoteView.class.getName()); 044 whitelist.add(ThrowableProxyVO.class.getName()); 045 whitelist.add(BasicMarker.class.getName()); 046 whitelist.add(Level.class.getName()); 047 whitelist.add(Logger.class.getName()); 048 whitelist.add(StackTraceElement.class.getName()); 049 whitelist.add(StackTraceElement[].class.getName()); 050 whitelist.add(ThrowableProxy.class.getName()); 051 whitelist.add(ThrowableProxy[].class.getName()); 052 whitelist.add(IThrowableProxy.class.getName()); 053 whitelist.add(IThrowableProxy[].class.getName()); 054 whitelist.add(StackTraceElementProxy.class.getName()); 055 whitelist.add(StackTraceElementProxy[].class.getName()); 056 whitelist.add(ClassPackagingData.class.getName()); 057 058 return whitelist; 059 } 060 061 public HardenedLoggingEventInputStream(InputStream is) throws IOException { 062 super(is, getWhilelist()); 063 } 064 065 public HardenedLoggingEventInputStream(InputStream is, List<String> additionalAuthorizedClasses) 066 throws IOException { 067 this(is); 068 super.addToWhitelist(additionalAuthorizedClasses); 069 } 070}