You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@batchee.apache.org by rm...@apache.org on 2015/11/27 13:39:51 UTC
incubator-batchee git commit: adding whitelist to
BlacklistClassResolver
Repository: incubator-batchee
Updated Branches:
refs/heads/master cfd133c30 -> f16e52f91
adding whitelist to BlacklistClassResolver
Project: http://git-wip-us.apache.org/repos/asf/incubator-batchee/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-batchee/commit/f16e52f9
Tree: http://git-wip-us.apache.org/repos/asf/incubator-batchee/tree/f16e52f9
Diff: http://git-wip-us.apache.org/repos/asf/incubator-batchee/diff/f16e52f9
Branch: refs/heads/master
Commit: f16e52f917cf3c28998d7a246fefda7a2aa37918
Parents: cfd133c
Author: Romain Manni-Bucau <rm...@gmail.com>
Authored: Fri Nov 27 13:39:36 2015 +0100
Committer: Romain Manni-Bucau <rm...@gmail.com>
Committed: Fri Nov 27 13:39:36 2015 +0100
----------------------------------------------------------------------
.../container/util/TCCLObjectInputStream.java | 49 ++++++++++++++------
1 file changed, 36 insertions(+), 13 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-batchee/blob/f16e52f9/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java
----------------------------------------------------------------------
diff --git a/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java b/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java
index e93e7bc..1f020a8 100755
--- a/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java
+++ b/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java
@@ -1,13 +1,13 @@
/**
* Copyright 2012 International Business Machines Corp.
- *
+ * <p/>
* See the NOTICE file distributed with this work for additional information
* regarding copyright ownership. Licensed under the Apache License,
* Version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p/>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p/>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -23,9 +23,11 @@ import java.io.ObjectStreamClass;
import java.lang.reflect.Proxy;
public class TCCLObjectInputStream extends ObjectInputStream {
- private static final BlacklistClassResolver BLACKLIST_CLASSES = new BlacklistClassResolver(System.getProperty(
- "batchee.BlacklistClassResolver",
- "org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan").split(" *, *"));
+ private static final BlacklistClassResolver BLACKLIST_CLASSES = new BlacklistClassResolver(
+ toArray(System.getProperty(
+ "batchee.serialization.class.blacklist",
+ "org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan")),
+ toArray(System.getProperty("batchee.serialization.class.whitelist")));
private final ClassLoader tccl;
@@ -53,22 +55,43 @@ public class TCCLObjectInputStream extends ObjectInputStream {
}
}
- private static final class BlacklistClassResolver {
+ private static String[] toArray(final String property) {
+ return property == null ? null : property.split(" *, *");
+ }
+
+ private static class BlacklistClassResolver {
private final String[] blacklist;
+ private final String[] whitelist;
- protected BlacklistClassResolver(final String[] blacklist) {
+ protected BlacklistClassResolver(final String[] blacklist, final String[] whitelist) {
+ this.whitelist = whitelist;
this.blacklist = blacklist;
}
+ protected boolean isBlacklisted(final String name) {
+ return (whitelist != null && !contains(whitelist, name)) || contains(blacklist, name);
+ }
+
public final String check(final String name) {
- if (blacklist != null) {
- for (final String white : blacklist) {
+ if (isBlacklisted(name)) {
+ throw new SecurityException(name + " is not whitelisted as deserialisable, prevented before loading.");
+ }
+ return name;
+ }
+
+ private static String[] toArray(final String property) {
+ return property == null ? null : property.split(" *, *");
+ }
+
+ private static boolean contains(final String[] list, String name) {
+ if (list != null) {
+ for (final String white : list) {
if (name.startsWith(white)) {
- throw new SecurityException(name + " is not whitelisted as deserialisable, prevented before loading.");
+ return true;
}
}
}
- return name;
+ return false;
}
}
}