Package ch.qos.logback.core.net
Class HardenedObjectInputStream
java.lang.Object
java.io.InputStream
java.io.ObjectInputStream
ch.qos.logback.core.net.HardenedObjectInputStream
- All Implemented Interfaces:
Closeable,DataInput,ObjectInput,ObjectStreamConstants,AutoCloseable
- Direct Known Subclasses:
HardenedAccessEventInputStream,HardenedLoggingEventInputStream
HardenedObjectInputStream restricts the set of classes that can be deserialized to a set of
explicitly whitelisted classes. This prevents certain type of attacks from being successful.
It is assumed that classes in the "java.lang" and "java.util" packages are always authorized.
- Since:
- 1.2.0
-
Nested Class Summary
Nested classes/interfaces inherited from class java.io.ObjectInputStream
ObjectInputStream.GetField -
Field Summary
FieldsFields inherited from interface java.io.ObjectStreamConstants
baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING -
Constructor Summary
ConstructorsConstructorDescriptionHardenedObjectInputStream(InputStream in, String[] whilelist) HardenedObjectInputStream(InputStream in, List<String> whitelist) -
Method Summary
Modifier and TypeMethodDescriptionprotected voidaddToWhitelist(List<String> additionalAuthorizedClasses) private booleanisWhitelisted(String incomingClassName) protected Class<?> resolveClass(ObjectStreamClass anObjectStreamClass) Methods inherited from class java.io.ObjectInputStream
available, close, defaultReadObject, enableResolveObject, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, skipBytesMethods inherited from class java.io.InputStream
mark, markSupported, read, reset, skipMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface java.io.ObjectInput
read, skip
-
Field Details
-
whitelistedClassNames
-
JAVA_PACKAGES
-
-
Constructor Details
-
HardenedObjectInputStream
- Throws:
IOException
-
HardenedObjectInputStream
- Throws:
IOException
-
-
Method Details
-
resolveClass
protected Class<?> resolveClass(ObjectStreamClass anObjectStreamClass) throws IOException, ClassNotFoundException - Overrides:
resolveClassin classObjectInputStream- Throws:
IOExceptionClassNotFoundException
-
isWhitelisted
-
addToWhitelist
-