- java.lang.Object
-
- java.io.InputStream
-
- java.io.ObjectInputStream
-
- ch.qos.logback.core.net.HardenedObjectInputStream
-
- All Implemented Interfaces:
Closeable,DataInput,ObjectInput,ObjectStreamConstants,AutoCloseable
- Direct Known Subclasses:
HardenedLoggingEventInputStream
public class HardenedObjectInputStream extends ObjectInputStream
HardenedObjectInputStream restricts the set of classes that can be deserialized to a set of explicitly whitelisted classes. This prevents certain type of attacks from being successful.It is assumed that classes in the "java.lang" and "java.util" packages are always authorized.
- Since:
- 1.2.0
- Author:
- Ceki Gülcü
-
-
Nested Class Summary
-
Nested classes/interfaces inherited from class java.io.ObjectInputStream
ObjectInputStream.GetField
-
-
Field Summary
-
Fields inherited from interface java.io.ObjectStreamConstants
baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, SERIAL_FILTER_PERMISSION, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING
-
-
Constructor Summary
Constructors Constructor Description HardenedObjectInputStream(Context context, InputStream in, String[] whitelistStrings)HardenedObjectInputStream(Context context, InputStream in, List<String> whitelist)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected voidaddToWhitelist(List<String> additionalAuthorizedClasses)protected Class<?>resolveClass(ObjectStreamClass anObjectStreamClass)protected Class<?>resolveProxyClass(String[] interfaces)There is no reason to have proxy classes in logback deserialization, so we just throw an exception here to prevent any potential bypasses that could be achieved through proxy classes.-
Methods inherited from class java.io.ObjectInputStream
available, close, defaultReadObject, enableResolveObject, getObjectInputFilter, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, setObjectInputFilter, skipBytes
-
Methods inherited from class java.io.InputStream
mark, markSupported, nullInputStream, read, readAllBytes, readNBytes, readNBytes, reset, skip, transferTo
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface java.io.ObjectInput
read, skip
-
-
-
-
Constructor Detail
-
HardenedObjectInputStream
public HardenedObjectInputStream(Context context, InputStream in, String[] whitelistStrings) throws IOException
- Throws:
IOException
-
HardenedObjectInputStream
public HardenedObjectInputStream(Context context, InputStream in, List<String> whitelist) throws IOException
- Throws:
IOException
-
-
Method Detail
-
resolveClass
protected Class<?> resolveClass(ObjectStreamClass anObjectStreamClass) throws IOException, ClassNotFoundException
- Overrides:
resolveClassin classObjectInputStream- Throws:
IOExceptionClassNotFoundException
-
resolveProxyClass
protected Class<?> resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException
There is no reason to have proxy classes in logback deserialization, so we just throw an exception here to prevent any potential bypasses that could be achieved through proxy classes.- Overrides:
resolveProxyClassin classObjectInputStream- Parameters:
interfaces- the list of interface names that were deserialized in the proxy class descriptor- Returns:
- Throws:
IOExceptionClassNotFoundException- Since:
- 1.5.34
-
addToWhitelist
protected void addToWhitelist(List<String> additionalAuthorizedClasses)
-
-