2022-06-10 16:23:28 +01:00
|
|
|
import java.io.IOException;
|
|
|
|
|
import java.io.InputStream;
|
|
|
|
|
import java.io.ObjectInputStream;
|
|
|
|
|
import java.io.ObjectStreamClass;
|
2022-06-14 19:54:55 +01:00
|
|
|
import java.util.ArrayList;
|
|
|
|
|
import java.util.List;
|
2022-06-10 16:23:28 +01:00
|
|
|
|
|
|
|
|
public class SafeObjectInputStream extends ObjectInputStream {
|
|
|
|
|
|
2022-06-14 19:54:55 +01:00
|
|
|
List<String> allowedClass;
|
2022-06-10 16:23:28 +01:00
|
|
|
|
2022-06-14 19:54:55 +01:00
|
|
|
public SafeObjectInputStream(InputStream in, List<String> allowedClass) throws IOException {
|
2022-06-10 16:23:28 +01:00
|
|
|
super(in);
|
|
|
|
|
this.allowedClass = allowedClass;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// local files are generally assumed to be safe, but this additional check slightly hardens the application against using arbitrary attacks to exploit
|
|
|
|
|
// please note that it is still insecure; don't use in sensitive contexts!
|
|
|
|
|
@Override
|
|
|
|
|
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
|
2022-06-14 19:54:55 +01:00
|
|
|
if (!allowedClass.contains(desc.getName())) {
|
|
|
|
|
throw new SecurityException(desc.getName());
|
2022-06-10 16:23:28 +01:00
|
|
|
}
|
|
|
|
|
return super.resolveClass(desc);
|
|
|
|
|
}
|
|
|
|
|
}
|
