You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by bd...@apache.org on 2015/11/11 10:54:22 UTC
svn commit: r1713792 - in
/sling/whiteboard/bdelacretaz/safe-object-input-stream/src:
main/java/org/apache/sling/deserialization/
test/java/org/apache/sling/deserialization/
Author: bdelacretaz
Date: Wed Nov 11 09:54:22 2015
New Revision: 1713792
URL: http://svn.apache.org/viewvc?rev=1713792&view=rev
Log:
Use ClassAcceptor interface and HashSet as suggested by Alex Klimetschek, thanks!
Added:
sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/ClassAcceptor.java
sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/WhitelistClassAcceptor.java
Removed:
sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/ClassValidator.java
Modified:
sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/SafeObjectInputStream.java
sling/whiteboard/bdelacretaz/safe-object-input-stream/src/test/java/org/apache/sling/deserialization/SafeObjectInputStreamTest.java
Added: sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/ClassAcceptor.java
URL: http://svn.apache.org/viewvc/sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/ClassAcceptor.java?rev=1713792&view=auto
==============================================================================
--- sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/ClassAcceptor.java (added)
+++ sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/ClassAcceptor.java Wed Nov 11 09:54:22 2015
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sling.deserialization;
+
+/** Validates a Class name against a list of acceptable names */
+public interface ClassAcceptor {
+ public static class ClassRejectedException extends ClassNotFoundException {
+ private static final long serialVersionUID = 5167088116102415772L;
+
+ ClassRejectedException() {
+ super("The supplied class is not in our set of allowed classes");
+ }
+ }
+
+ /** Check if the supplied class name is accepted.
+ * @param className fully qualified class name
+ * @throws ClassRejectedException if the class is not accepted
+ */
+ void accept(String className) throws ClassRejectedException;
+}
\ No newline at end of file
Modified: sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/SafeObjectInputStream.java
URL: http://svn.apache.org/viewvc/sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/SafeObjectInputStream.java?rev=1713792&r1=1713791&r2=1713792&view=diff
==============================================================================
--- sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/SafeObjectInputStream.java (original)
+++ sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/SafeObjectInputStream.java Wed Nov 11 09:54:22 2015
@@ -27,16 +27,16 @@ import java.io.ObjectStreamClass;
* inspired by http://www.ibm.com/developerworks/library/se-lookahead/
*/
public class SafeObjectInputStream extends ObjectInputStream {
- private final ClassValidator validator;
+ private final ClassAcceptor acceptor;
- SafeObjectInputStream(InputStream input, Class<?> ... allowedClasses) throws IOException {
+ SafeObjectInputStream(InputStream input, ClassAcceptor acceptor) throws IOException {
super(input);
- validator = new ClassValidator(allowedClasses);
+ this.acceptor = acceptor;
}
@Override
protected Class<?> resolveClass(ObjectStreamClass osc) throws IOException, ClassNotFoundException {
- validator.validateClass(osc.getName());
+ acceptor.accept(osc.getName());
return super.resolveClass(osc);
}
}
Added: sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/WhitelistClassAcceptor.java
URL: http://svn.apache.org/viewvc/sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/WhitelistClassAcceptor.java?rev=1713792&view=auto
==============================================================================
--- sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/WhitelistClassAcceptor.java (added)
+++ sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/WhitelistClassAcceptor.java Wed Nov 11 09:54:22 2015
@@ -0,0 +1,41 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sling.deserialization;
+
+import java.io.IOException;
+import java.util.HashSet;
+import java.util.Set;
+
+/** Validates a Class name against a list of acceptable names */
+public class WhitelistClassAcceptor implements ClassAcceptor {
+ private final Set<String> allowedClassesSet;
+
+ public WhitelistClassAcceptor(Class<?> ... allowedClasses) throws IOException {
+ allowedClassesSet = new HashSet<String>();
+ for(Class<? >c : allowedClasses) {
+ allowedClassesSet.add(c.getName());
+ }
+ }
+
+ public void accept(String className) throws ClassAcceptor.ClassRejectedException {
+ if(!allowedClassesSet.contains(className)) {
+ throw new ClassRejectedException();
+ }
+ }
+}
\ No newline at end of file
Modified: sling/whiteboard/bdelacretaz/safe-object-input-stream/src/test/java/org/apache/sling/deserialization/SafeObjectInputStreamTest.java
URL: http://svn.apache.org/viewvc/sling/whiteboard/bdelacretaz/safe-object-input-stream/src/test/java/org/apache/sling/deserialization/SafeObjectInputStreamTest.java?rev=1713792&r1=1713791&r2=1713792&view=diff
==============================================================================
--- sling/whiteboard/bdelacretaz/safe-object-input-stream/src/test/java/org/apache/sling/deserialization/SafeObjectInputStreamTest.java (original)
+++ sling/whiteboard/bdelacretaz/safe-object-input-stream/src/test/java/org/apache/sling/deserialization/SafeObjectInputStreamTest.java Wed Nov 11 09:54:22 2015
@@ -37,6 +37,7 @@ import org.junit.Test;
public class SafeObjectInputStreamTest {
private List<Closeable> toClose;
+ protected ClassAcceptor acceptor;
private <T extends Closeable> T willClose(T t) {
toClose.add(t);
@@ -58,41 +59,38 @@ public class SafeObjectInputStreamTest {
}
}
- private void testSerialize(Class<?> ... allowedClasses) throws Exception {
+ private void testSerialize() throws Exception {
final TestSerializable ts = new TestSerializable(UUID.randomUUID().toString());
final ByteArrayOutputStream bos = willClose(new ByteArrayOutputStream());
final ObjectOutputStream oos = willClose(new ObjectOutputStream(bos));
oos.writeObject(ts);
final InputStream is = willClose(new ByteArrayInputStream(bos.toByteArray()));
- final ObjectInput ois = createInputStream(is, allowedClasses);
- if(ois instanceof Closeable) {
- willClose((Closeable)ois);
- }
+ final ObjectInput ois = willClose(new SafeObjectInputStream(is, acceptor));
final TestSerializable result = (TestSerializable)(ois.readObject());
assertEquals(ts, result);
}
- protected ObjectInput createInputStream(InputStream is, Class<?> ... allowedClasses) throws IOException {
- return new SafeObjectInputStream(is, allowedClasses);
- }
-
- @Test(expected=ClassValidator.NotAllowedException.class)
+ @Test(expected=ClassAcceptor.ClassRejectedException.class)
public void testNoAllowedClasses() throws Exception {
+ acceptor = new WhitelistClassAcceptor();
testSerialize();
}
- @Test(expected=ClassValidator.NotAllowedException.class)
+ @Test(expected=ClassAcceptor.ClassRejectedException.class)
public void testANotAllowed() throws Exception {
- testSerialize(Integer.class);
+ acceptor = new WhitelistClassAcceptor(Integer.class);
+ testSerialize();
}
@Test
public void testTestSerializableOnlyAllowed() throws Exception {
- testSerialize(TestSerializable.class);
+ acceptor = new WhitelistClassAcceptor(TestSerializable.class);
+ testSerialize();
}
@Test
public void testTestSerializableAllowed() throws Exception {
- testSerialize(Integer.class, TestSerializable.class);
+ acceptor = new WhitelistClassAcceptor(Integer.class, TestSerializable.class);
+ testSerialize();
}
}
\ No newline at end of file