You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Jacques Le Roux <ja...@les7arts.com> on 2019/02/17 11:09:10 UTC
Re: svn commit: r1853691 - in
/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util:
ObjectInputStream.java SafeObjectInputStream.java UtilObject.java
Hi,
There is a problem with this commit, I'm working on it...
Jacques
Le 16/02/2019 à 10:42, jleroux@apache.org a écrit :
> Author: jleroux
> Date: Sat Feb 16 09:42:03 2019
> New Revision: 1853691
>
> URL: http://svn.apache.org/viewvc?rev=1853691&view=rev
> Log:
> Improved: Improve ObjectInputStream class
> (OFBIZ-10837)
>
> As reported by FindBugs and Sonar, it's troubling (a Bad practice in Sonar[1],
> a code smell in Findbugs[2]) when extending to use the same name than the
> extended Object
>
> [1] https://sbforge.org/sonar/rules/show/findbugs:NM_SAME_SIMPLE_NAME_AS_SUPERCLASS?layout=false
> [2] https://logging.apache.org/log4j/log4j-2.2/log4j-jul/findbugs.html
>
> Added:
> ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java (with props)
> Removed:
> ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/ObjectInputStream.java
> Modified:
> ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
>
> Added: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
> URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java?rev=1853691&view=auto
> ==============================================================================
> --- ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java (added)
> +++ ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java Sat Feb 16 09:42:03 2019
> @@ -0,0 +1,86 @@
> +/*******************************************************************************
> + * Licensed to the Apache Software Foundation (ASF) under one
> + * or more contributor license agreements. See the NOTICE file
> + * distributed with this work for additional information
> + * regarding copyright ownership. The ASF licenses this file
> + * to you under the Apache License, Version 2.0 (the
> + * "License"); you may not use this file except in compliance
> + * with the License. You may obtain a copy of the License at
> + *
> + * http://www.apache.org/licenses/LICENSE-2.0
> + *
> + * Unless required by applicable law or agreed to in writing,
> + * software distributed under the License is distributed on an
> + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
> + * KIND, either express or implied. See the License for the
> + * specific language governing permissions and limitations
> + * under the License.
> + *******************************************************************************/
> +package org.apache.ofbiz.base.util;
> +
> +import java.io.IOException;
> +import java.io.InputStream;
> +import java.io.ObjectStreamClass;
> +import java.lang.reflect.Proxy;
> +import java.util.List;
> +import java.util.regex.Pattern;
> +
> +/**
> + * ObjectInputStream
> + *
> + */
> +public class SafeObjectInputStream extends java.io.ObjectInputStream implements AutoCloseable {
> +
> + private ClassLoader classloader;
> + private Pattern WHITELIST_PATTERN = null;
> +
> + public SafeObjectInputStream(InputStream in, ClassLoader loader) throws IOException {
> + super(in);
> + this.classloader = loader;
> + }
> +
> + public SafeObjectInputStream(InputStream in, ClassLoader loader, List<String> whitelist) throws IOException {
> + super(in);
> + this.classloader = loader;
> + StringBuilder bld = new StringBuilder("(");
> + for (int i = 0; i < whitelist.size(); i++) {
> + bld.append(whitelist.get(i));
> + if (i != whitelist.size() - 1) {
> + bld.append("|");
> + }
> + }
> + bld.append(")");
> + WHITELIST_PATTERN = Pattern.compile(bld.toString());
> + }
> +
> +
> + /**
> + * @see java.io.ObjectInputStream#resolveClass(java.io.ObjectStreamClass)
> + */
> + @Override
> + protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
> + if (!WHITELIST_PATTERN.matcher(classDesc.getName()).find()) {
> + throw new ClassCastException("Incompatible class: " + classDesc.getName());
> + }
> +
> + return ObjectType.loadClass(classDesc.getName(), classloader);
> + }
> +
> + /**
> + * @see java.io.ObjectInputStream#resolveProxyClass(java.lang.String[])
> + */
> + @Override
> + protected Class<?> resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException {
> + Class<?>[] cinterfaces = new Class<?>[interfaces.length];
> + for (int i = 0; i < interfaces.length; i++) {
> + cinterfaces[i] = classloader.loadClass(interfaces[i]);
> + }
> +
> + try {
> + return Proxy.getProxyClass(classloader, cinterfaces);
> + } catch (IllegalArgumentException e) {
> + throw new ClassNotFoundException(null, e);
> + }
> +
> + }
> +}
>
> Propchange: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
> ------------------------------------------------------------------------------
> svn:eol-style = native
>
> Propchange: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
> ------------------------------------------------------------------------------
> svn:keywords = Date Rev Author URL Id
>
> Propchange: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
> ------------------------------------------------------------------------------
> svn:mime-type = text/plain
>
> Modified: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
> URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java?rev=1853691&r1=1853690&r2=1853691&view=diff
> ==============================================================================
> --- ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java (original)
> +++ ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java Sat Feb 16 09:42:03 2019
> @@ -139,16 +139,12 @@ public final class UtilObject {
>
> /** Deserialize a byte array back to an object */
> public static Object getObjectException(byte[] bytes) throws ClassNotFoundException, IOException {
> - ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
> - try {
> - ObjectInputStream ois = new ObjectInputStream(bis, Thread.currentThread().getContextClassLoader());
> - try {
> - return ois.readObject();
> - } finally {
> - ois.close();
> - }
> - } finally {
> - bis.close();
> + try (ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
> + SafeObjectInputStream wois = new SafeObjectInputStream(bis,
> + Thread.currentThread().getContextClassLoader(),
> + java.util.Arrays.asList("byte\\[\\]", "Number", "Long", "foo", "SerializationInjector"));
> + ) { // byte[] used in EntityCrypto::doDecrypt, all others used in UtilObjectTests::testGetObject
> + return wois.readObject();
> }
> }
>
>
>
>
Re: svn commit: r1853691 - in
/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util:
ObjectInputStream.java SafeObjectInputStream.java UtilObject.java
Posted by Jacques Le Roux <ja...@les7arts.com>.
It's fixed so far, I have added a warning
Jacques
Le 17/02/2019 à 12:09, Jacques Le Roux a écrit :
> Hi,
>
> There is a problem with this commit, I'm working on it...
>
> Jacques
>
> Le 16/02/2019 à 10:42, jleroux@apache.org a écrit :
>> Author: jleroux
>> Date: Sat Feb 16 09:42:03 2019
>> New Revision: 1853691
>>
>> URL: http://svn.apache.org/viewvc?rev=1853691&view=rev
>> Log:
>> Improved: Improve ObjectInputStream class
>> (OFBIZ-10837)
>>
>> As reported by FindBugs and Sonar, it's troubling (a Bad practice in Sonar[1],
>> a code smell in Findbugs[2]) when extending to use the same name than the
>> extended Object
>>
>> [1] https://sbforge.org/sonar/rules/show/findbugs:NM_SAME_SIMPLE_NAME_AS_SUPERCLASS?layout=false
>> [2] https://logging.apache.org/log4j/log4j-2.2/log4j-jul/findbugs.html
>>
>> Added:
>> ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java (with props)
>> Removed:
>> ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/ObjectInputStream.java
>> Modified:
>> ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
>>
>> Added: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
>> URL:
>> http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java?rev=1853691&view=auto
>> ==============================================================================
>> --- ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java (added)
>> +++ ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java Sat Feb 16 09:42:03 2019
>> @@ -0,0 +1,86 @@
>> +/*******************************************************************************
>> + * Licensed to the Apache Software Foundation (ASF) under one
>> + * or more contributor license agreements. See the NOTICE file
>> + * distributed with this work for additional information
>> + * regarding copyright ownership. The ASF licenses this file
>> + * to you under the Apache License, Version 2.0 (the
>> + * "License"); you may not use this file except in compliance
>> + * with the License. You may obtain a copy of the License at
>> + *
>> + * http://www.apache.org/licenses/LICENSE-2.0
>> + *
>> + * Unless required by applicable law or agreed to in writing,
>> + * software distributed under the License is distributed on an
>> + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>> + * KIND, either express or implied. See the License for the
>> + * specific language governing permissions and limitations
>> + * under the License.
>> + *******************************************************************************/
>> +package org.apache.ofbiz.base.util;
>> +
>> +import java.io.IOException;
>> +import java.io.InputStream;
>> +import java.io.ObjectStreamClass;
>> +import java.lang.reflect.Proxy;
>> +import java.util.List;
>> +import java.util.regex.Pattern;
>> +
>> +/**
>> + * ObjectInputStream
>> + *
>> + */
>> +public class SafeObjectInputStream extends java.io.ObjectInputStream implements AutoCloseable {
>> +
>> + private ClassLoader classloader;
>> + private Pattern WHITELIST_PATTERN = null;
>> +
>> + public SafeObjectInputStream(InputStream in, ClassLoader loader) throws IOException {
>> + super(in);
>> + this.classloader = loader;
>> + }
>> +
>> + public SafeObjectInputStream(InputStream in, ClassLoader loader, List<String> whitelist) throws IOException {
>> + super(in);
>> + this.classloader = loader;
>> + StringBuilder bld = new StringBuilder("(");
>> + for (int i = 0; i < whitelist.size(); i++) {
>> + bld.append(whitelist.get(i));
>> + if (i != whitelist.size() - 1) {
>> + bld.append("|");
>> + }
>> + }
>> + bld.append(")");
>> + WHITELIST_PATTERN = Pattern.compile(bld.toString());
>> + }
>> +
>> +
>> + /**
>> + * @see java.io.ObjectInputStream#resolveClass(java.io.ObjectStreamClass)
>> + */
>> + @Override
>> + protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
>> + if (!WHITELIST_PATTERN.matcher(classDesc.getName()).find()) {
>> + throw new ClassCastException("Incompatible class: " + classDesc.getName());
>> + }
>> +
>> + return ObjectType.loadClass(classDesc.getName(), classloader);
>> + }
>> +
>> + /**
>> + * @see java.io.ObjectInputStream#resolveProxyClass(java.lang.String[])
>> + */
>> + @Override
>> + protected Class<?> resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException {
>> + Class<?>[] cinterfaces = new Class<?>[interfaces.length];
>> + for (int i = 0; i < interfaces.length; i++) {
>> + cinterfaces[i] = classloader.loadClass(interfaces[i]);
>> + }
>> +
>> + try {
>> + return Proxy.getProxyClass(classloader, cinterfaces);
>> + } catch (IllegalArgumentException e) {
>> + throw new ClassNotFoundException(null, e);
>> + }
>> +
>> + }
>> +}
>>
>> Propchange: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
>> ------------------------------------------------------------------------------
>> svn:eol-style = native
>>
>> Propchange: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
>> ------------------------------------------------------------------------------
>> svn:keywords = Date Rev Author URL Id
>>
>> Propchange: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
>> ------------------------------------------------------------------------------
>> svn:mime-type = text/plain
>>
>> Modified: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
>> URL:
>> http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java?rev=1853691&r1=1853690&r2=1853691&view=diff
>> ==============================================================================
>> --- ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java (original)
>> +++ ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java Sat Feb 16 09:42:03 2019
>> @@ -139,16 +139,12 @@ public final class UtilObject {
>> /** Deserialize a byte array back to an object */
>> public static Object getObjectException(byte[] bytes) throws ClassNotFoundException, IOException {
>> - ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
>> - try {
>> - ObjectInputStream ois = new ObjectInputStream(bis, Thread.currentThread().getContextClassLoader());
>> - try {
>> - return ois.readObject();
>> - } finally {
>> - ois.close();
>> - }
>> - } finally {
>> - bis.close();
>> + try (ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
>> + SafeObjectInputStream wois = new SafeObjectInputStream(bis,
>> + Thread.currentThread().getContextClassLoader(),
>> + java.util.Arrays.asList("byte\\[\\]", "Number", "Long", "foo", "SerializationInjector"));
>> + ) { // byte[] used in EntityCrypto::doDecrypt, all others used in UtilObjectTests::testGetObject
>> + return wois.readObject();
>> }
>> }
>>
>>
>>
>