public class ValidatingObjectInputStream
extends java.io.ObjectInputStream
Reading must be done using the safeRead
methods which sets validation parameters before
reading. Any attempt to use read
methods will be blocked.
See OWASP.
Modifier and Type | Class and Description |
---|---|
private static class |
ValidatingObjectInputStream.LimitedInputStream
Input stream that limits the amount of data that is permitted to be read.
|
Modifier and Type | Field and Description |
---|---|
private ValidatingObjectInputStream.LimitedInputStream |
in |
private int |
maxObjects |
private int |
readObjects |
private java.util.Collection<java.lang.Class<?>> |
safeClasses |
baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING
Modifier | Constructor and Description |
---|---|
private |
ValidatingObjectInputStream(ValidatingObjectInputStream.LimitedInputStream in) |
Modifier and Type | Method and Description |
---|---|
static ValidatingObjectInputStream |
build(java.io.InputStream in)
Create a new input stream for reading objects.
|
protected java.lang.Class<?> |
resolveClass(java.io.ObjectStreamClass desc) |
protected java.lang.Object |
resolveObject(java.lang.Object obj) |
long |
safeReadLong()
Update validation parameters and read the next long from the stream.
|
<T> T |
safeReadObject(java.lang.Class<T> type,
java.util.Collection<java.lang.Class<?>> safeClasses,
int maxObjects,
long maxBytes)
Update validation parameters and read the next object from the stream.
|
private void |
updateValidation(java.util.Collection<java.lang.Class<?>> safeClasses,
int maxObjects,
long maxBytes) |
private void |
zeroValidation() |
available, close, defaultReadObject, enableResolveObject, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveProxyClass, skipBytes
private ValidatingObjectInputStream.LimitedInputStream in
private java.util.Collection<java.lang.Class<?>> safeClasses
private int maxObjects
private int readObjects
private ValidatingObjectInputStream(ValidatingObjectInputStream.LimitedInputStream in) throws java.io.IOException
java.io.IOException
public static ValidatingObjectInputStream build(java.io.InputStream in) throws java.io.IOException
safeReadObject(Class, Collection, int, long)
which updates the validation parameters
before reading.in
- stream to read fromjava.io.IOException
- on I/O errorpublic <T> T safeReadObject(java.lang.Class<T> type, java.util.Collection<java.lang.Class<?>> safeClasses, int maxObjects, long maxBytes) throws java.lang.ClassNotFoundException, java.io.IOException, java.lang.ClassCastException
T
- type of returned objecttype
- Type to return. This type will be whitelisted. If the stored object may be of a
subclass to this type then the permitted subclasses must be included in
safeClasses
.safeClasses
- Collection of whitelisted classes. This must include all classes used within the
stored object.maxObjects
- Maximum number of objects to read. This must be large enough to permit valid use,
especially for collection objects.maxBytes
- Maximum number of bytes to read from the stream. This must be large enough to
permit valid use, especially for collection objects.java.io.IOException
- on I/O errorjava.lang.ClassNotFoundException
- if the class of the stored object can't be foundjava.lang.ClassCastException
- if the object is not of the specified typepublic long safeReadLong() throws java.io.IOException
java.io.IOException
- on I/O errorprivate void updateValidation(java.util.Collection<java.lang.Class<?>> safeClasses, int maxObjects, long maxBytes)
private void zeroValidation()
protected java.lang.Object resolveObject(java.lang.Object obj) throws java.io.IOException
resolveObject
in class java.io.ObjectInputStream
java.io.IOException
protected java.lang.Class<?> resolveClass(java.io.ObjectStreamClass desc) throws java.io.IOException, java.lang.ClassNotFoundException
resolveClass
in class java.io.ObjectInputStream
java.io.IOException
java.lang.ClassNotFoundException