final/src/SafeObjectInputStream.java

import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;

public class SafeObjectInputStream extends ObjectInputStream {

    String allowedClass;

    public SafeObjectInputStream(InputStream in, String allowedClass) throws IOException {
        super(in);
        this.allowedClass = allowedClass;
    }

    // local files are generally assumed to be safe, but this additional check slightly hardens the application against using arbitrary attacks to exploit
    // please note that it is still insecure; don't use in sensitive contexts!
    @Override
    protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
        if (!desc.getName().equals(allowedClass)) {
            throw new SecurityException();
        }
        return super.resolveClass(desc);
    }
}
Add loading object to file and reading object from file 2022-06-10 16:23:28 +01:00			`import java.io.IOException;`
			`import java.io.InputStream;`
			`import java.io.ObjectInputStream;`
			`import java.io.ObjectStreamClass;`

			`public class SafeObjectInputStream extends ObjectInputStream {`

			`String allowedClass;`

			`public SafeObjectInputStream(InputStream in, String allowedClass) throws IOException {`
			`super(in);`
			`this.allowedClass = allowedClass;`
			`}`

			`// local files are generally assumed to be safe, but this additional check slightly hardens the application against using arbitrary attacks to exploit`
			`// please note that it is still insecure; don't use in sensitive contexts!`
			`@Override`
			`protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {`
			`if (!desc.getName().equals(allowedClass)) {`
			`throw new SecurityException();`
			`}`
			`return super.resolveClass(desc);`
			`}`
			`}`