Package org.openjdk.jmc.common.io
Class ValidatingObjectInputStream
- java.lang.Object
-
- java.io.InputStream
-
- java.io.ObjectInputStream
-
- org.openjdk.jmc.common.io.ValidatingObjectInputStream
-
- All Implemented Interfaces:
Closeable
,DataInput
,ObjectInput
,ObjectStreamConstants
,AutoCloseable
public class ValidatingObjectInputStream extends ObjectInputStream
ObjectInputStream that validates the classes and count of objects and bytes read from it.Reading must be done using the
safeRead
methods which sets validation parameters before reading. Any attempt to useread
methods will be blocked.See OWASP.
-
-
Nested Class Summary
-
Nested classes/interfaces inherited from class java.io.ObjectInputStream
ObjectInputStream.GetField
-
-
Field Summary
-
Fields inherited from interface java.io.ObjectStreamConstants
baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, SERIAL_FILTER_PERMISSION, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING
-
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description static ValidatingObjectInputStream
build(InputStream in)
Create a new input stream for reading objects.protected Class<?>
resolveClass(ObjectStreamClass desc)
protected Object
resolveObject(Object obj)
long
safeReadLong()
Update validation parameters and read the next long from the stream.<T> T
safeReadObject(Class<T> type, Collection<Class<?>> safeClasses, int maxObjects, long maxBytes)
Update validation parameters and read the next object from the stream.-
Methods inherited from class java.io.ObjectInputStream
available, close, defaultReadObject, enableResolveObject, getObjectInputFilter, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveProxyClass, setObjectInputFilter, skipBytes
-
Methods inherited from class java.io.InputStream
mark, markSupported, nullInputStream, read, readAllBytes, readNBytes, readNBytes, reset, skip, transferTo
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface java.io.ObjectInput
read, skip
-
-
-
-
Method Detail
-
build
public static ValidatingObjectInputStream build(InputStream in) throws IOException
Create a new input stream for reading objects. This stream will be initialized so that no objects are permitted to be read. To read objects you should usesafeReadObject(Class, Collection, int, long)
which updates the validation parameters before reading.- Parameters:
in
- stream to read from- Returns:
- a new input stream for reading objects
- Throws:
IOException
- on I/O error
-
safeReadObject
public <T> T safeReadObject(Class<T> type, Collection<Class<?>> safeClasses, int maxObjects, long maxBytes) throws ClassNotFoundException, IOException, ClassCastException
Update validation parameters and read the next object from the stream.- Type Parameters:
T
- type of returned object- Parameters:
type
- Type to return. This type will be whitelisted. If the stored object may be of a subclass to this type then the permitted subclasses must be included insafeClasses
.safeClasses
- Collection of whitelisted classes. This must include all classes used within the stored object.maxObjects
- Maximum number of objects to read. This must be large enough to permit valid use, especially for collection objects.maxBytes
- Maximum number of bytes to read from the stream. This must be large enough to permit valid use, especially for collection objects.- Returns:
- the object read from the stream
- Throws:
IOException
- on I/O errorClassNotFoundException
- if the class of the stored object can't be foundClassCastException
- if the object is not of the specified type
-
safeReadLong
public long safeReadLong() throws IOException
Update validation parameters and read the next long from the stream.- Returns:
- the long value read from the stream
- Throws:
IOException
- on I/O error
-
resolveObject
protected Object resolveObject(Object obj) throws IOException
- Overrides:
resolveObject
in classObjectInputStream
- Throws:
IOException
-
resolveClass
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException
- Overrides:
resolveClass
in classObjectInputStream
- Throws:
IOException
ClassNotFoundException
-
-