Class HardenedObjectInputStream
java.lang.Object
java.io.InputStream
java.io.ObjectInputStream
ch.qos.logback.core.net.HardenedObjectInputStream
- All Implemented Interfaces:
Closeable, DataInput, ObjectInput, ObjectStreamConstants, AutoCloseable
- Direct Known Subclasses:
HardenedLoggingEventInputStream
HardenedObjectInputStream restricts the set of classes that can be
deserialized to a set of explicitly whitelisted classes. This prevents
certain type of attacks from being successful.
It is assumed that classes in the "java.lang" and "java.util" packages are always authorized.
- Since:
- 1.2.0
- Author:
- Ceki Gülcü
-
Nested Class Summary
Nested classes/interfaces inherited from class ObjectInputStream
ObjectInputStream.GetField -
Field Summary
Fields inherited from interface ObjectStreamConstants
baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, SERIAL_FILTER_PERMISSION, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING -
Constructor Summary
ConstructorsConstructorDescriptionHardenedObjectInputStream(Context context, InputStream in, String[] whitelistStrings) HardenedObjectInputStream(Context context, InputStream in, List<String> whitelist) -
Method Summary
Modifier and TypeMethodDescriptionprotected voidaddToWhitelist(List<String> additionalAuthorizedClasses) protected Class<?> resolveClass(ObjectStreamClass anObjectStreamClass) protected Class<?> resolveProxyClass(String[] interfaces) There is no reason to have proxy classes in logback deserialization, so we just throw an exception here to prevent any potential bypasses that could be achieved through proxy classes.Methods inherited from class ObjectInputStream
available, close, defaultReadObject, enableResolveObject, getObjectInputFilter, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, setObjectInputFilter, skipBytesMethods inherited from class InputStream
mark, markSupported, nullInputStream, read, readAllBytes, readNBytes, readNBytes, reset, skip, transferToMethods inherited from class Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface ObjectInput
read, skip
-
Constructor Details
-
HardenedObjectInputStream
public HardenedObjectInputStream(Context context, InputStream in, String[] whitelistStrings) throws IOException - Throws:
IOException
-
HardenedObjectInputStream
public HardenedObjectInputStream(Context context, InputStream in, List<String> whitelist) throws IOException - Throws:
IOException
-
-
Method Details
-
resolveClass
protected Class<?> resolveClass(ObjectStreamClass anObjectStreamClass) throws IOException, ClassNotFoundException - Overrides:
resolveClassin classObjectInputStream- Throws:
IOExceptionClassNotFoundException
-
resolveProxyClass
protected Class<?> resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException There is no reason to have proxy classes in logback deserialization, so we just throw an exception here to prevent any potential bypasses that could be achieved through proxy classes.- Overrides:
resolveProxyClassin classObjectInputStream- Parameters:
interfaces- the list of interface names that were deserialized in the proxy class descriptor- Returns:
- Throws:
IOExceptionClassNotFoundException- Since:
- 1.5.34
-
addToWhitelist
-