View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one or more
3    * contributor license agreements. See the NOTICE file distributed with
4    * this work for additional information regarding copyright ownership.
5    * The ASF licenses this file to You under the Apache license, Version 2.0
6    * (the "License"); you may not use this file except in compliance with
7    * the License. You may obtain a copy of the License at
8    *
9    *      http://www.apache.org/licenses/LICENSE-2.0
10   *
11   * Unless required by applicable law or agreed to in writing, software
12   * distributed under the License is distributed on an "AS IS" BASIS,
13   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14   * See the license for the specific language governing permissions and
15   * limitations under the license.
16   */
17  package org.apache.logging.log4j.util;
18  
19  import java.io.IOException;
20  import java.io.InputStream;
21  import java.io.InvalidObjectException;
22  import java.io.ObjectInputStream;
23  import java.io.ObjectStreamClass;
24  import java.util.Arrays;
25  import java.util.Collection;
26  import java.util.HashSet;
27  import java.util.List;
28  
29  /**
30   * Extended ObjectInputStream that only allows certain classes to be deserialized.
31   *
32   * @since 2.8.2
33   */
34  public class FilteredObjectInputStream extends ObjectInputStream {
35  
36      private static final List<String> REQUIRED_JAVA_CLASSES = Arrays.asList(
37              "java.math.BigDecimal",
38              "java.math.BigInteger",
39              // for Message delegate
40              "java.rmi.MarshalledObject",
41              "[B"
42      );
43  
44      private static final List<String> REQUIRED_JAVA_PACKAGES = Arrays.asList(
45              "java.lang.",
46              "java.time",
47              "java.util.",
48              "org.apache.logging.log4j.",
49              "[Lorg.apache.logging.log4j."
50      );
51  
52      private final Collection<String> allowedClasses;
53  
54      public FilteredObjectInputStream() throws IOException, SecurityException {
55          super();
56          this.allowedClasses = new HashSet<>();
57      }
58  
59      public FilteredObjectInputStream(final InputStream in) throws IOException {
60          super(in);
61          this.allowedClasses = new HashSet<>();
62      }
63  
64      public FilteredObjectInputStream(final Collection<String> allowedClasses) throws IOException, SecurityException {
65          super();
66          this.allowedClasses = allowedClasses;
67      }
68  
69      public FilteredObjectInputStream(final InputStream in, final Collection<String> allowedClasses) throws IOException {
70          super(in);
71          this.allowedClasses = allowedClasses;
72      }
73  
74      public Collection<String> getAllowedClasses() {
75          return allowedClasses;
76      }
77  
78      @Override
79      protected Class<?> resolveClass(final ObjectStreamClass desc) throws IOException, ClassNotFoundException {
80          final String name = desc.getName();
81          if (!(isAllowedByDefault(name) || allowedClasses.contains(name))) {
82              throw new InvalidObjectException("Class is not allowed for deserialization: " + name);
83          }
84          return super.resolveClass(desc);
85      }
86  
87      private static boolean isAllowedByDefault(final String name) {
88          return isRequiredPackage(name) || REQUIRED_JAVA_CLASSES.contains(name);
89      }
90  
91      private static boolean isRequiredPackage(final String name) {
92          for (final String packageName : REQUIRED_JAVA_PACKAGES) {
93              if (name.startsWith(packageName)) {
94                  return true;
95              }
96          }
97          return false;
98      }
99  
100 }