You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@batchee.apache.org by rm...@apache.org on 2015/11/27 13:39:51 UTC

incubator-batchee git commit: adding whitelist to BlacklistClassResolver

Repository: incubator-batchee
Updated Branches:
  refs/heads/master cfd133c30 -> f16e52f91


adding whitelist to BlacklistClassResolver


Project: http://git-wip-us.apache.org/repos/asf/incubator-batchee/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-batchee/commit/f16e52f9
Tree: http://git-wip-us.apache.org/repos/asf/incubator-batchee/tree/f16e52f9
Diff: http://git-wip-us.apache.org/repos/asf/incubator-batchee/diff/f16e52f9

Branch: refs/heads/master
Commit: f16e52f917cf3c28998d7a246fefda7a2aa37918
Parents: cfd133c
Author: Romain Manni-Bucau <rm...@gmail.com>
Authored: Fri Nov 27 13:39:36 2015 +0100
Committer: Romain Manni-Bucau <rm...@gmail.com>
Committed: Fri Nov 27 13:39:36 2015 +0100

----------------------------------------------------------------------
 .../container/util/TCCLObjectInputStream.java   | 49 ++++++++++++++------
 1 file changed, 36 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-batchee/blob/f16e52f9/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java
----------------------------------------------------------------------
diff --git a/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java b/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java
index e93e7bc..1f020a8 100755
--- a/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java
+++ b/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java
@@ -1,13 +1,13 @@
 /**
  * Copyright 2012 International Business Machines Corp.
- *
+ * <p/>
  * See the NOTICE file distributed with this work for additional information
  * regarding copyright ownership. Licensed under the Apache License,
  * Version 2.0 (the "License"); you may not use this file except in compliance
  * with the License. You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p/>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p/>
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -23,9 +23,11 @@ import java.io.ObjectStreamClass;
 import java.lang.reflect.Proxy;
 
 public class TCCLObjectInputStream extends ObjectInputStream {
-    private static final BlacklistClassResolver BLACKLIST_CLASSES = new BlacklistClassResolver(System.getProperty(
-        "batchee.BlacklistClassResolver",
-        "org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan").split(" *, *"));
+    private static final BlacklistClassResolver BLACKLIST_CLASSES = new BlacklistClassResolver(
+        toArray(System.getProperty(
+            "batchee.serialization.class.blacklist",
+            "org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan")),
+        toArray(System.getProperty("batchee.serialization.class.whitelist")));
 
     private final ClassLoader tccl;
 
@@ -53,22 +55,43 @@ public class TCCLObjectInputStream extends ObjectInputStream {
         }
     }
 
-    private static final class BlacklistClassResolver {
+    private static String[] toArray(final String property) {
+        return property == null ? null : property.split(" *, *");
+    }
+
+    private static class BlacklistClassResolver {
         private final String[] blacklist;
+        private final String[] whitelist;
 
-        protected BlacklistClassResolver(final String[] blacklist) {
+        protected BlacklistClassResolver(final String[] blacklist, final String[] whitelist) {
+            this.whitelist = whitelist;
             this.blacklist = blacklist;
         }
 
+        protected boolean isBlacklisted(final String name) {
+            return (whitelist != null && !contains(whitelist, name)) || contains(blacklist, name);
+        }
+
         public final String check(final String name) {
-            if (blacklist != null) {
-                for (final String white : blacklist) {
+            if (isBlacklisted(name)) {
+                throw new SecurityException(name + " is not whitelisted as deserialisable, prevented before loading.");
+            }
+            return name;
+        }
+
+        private static String[] toArray(final String property) {
+            return property == null ? null : property.split(" *, *");
+        }
+
+        private static boolean contains(final String[] list, String name) {
+            if (list != null) {
+                for (final String white : list) {
                     if (name.startsWith(white)) {
-                        throw new SecurityException(name + " is not whitelisted as deserialisable, prevented before loading.");
+                        return true;
                     }
                 }
             }
-            return name;
+            return false;
         }
     }
 }