View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one or more
3    * contributor license agreements. See the NOTICE file distributed with
4    * this work for additional information regarding copyright ownership.
5    * The ASF licenses this file to You under the Apache license, Version 2.0
6    * (the "License"); you may not use this file except in compliance with
7    * the License. You may obtain a copy of the License at
8    *
9    *      http://www.apache.org/licenses/LICENSE-2.0
10   *
11   * Unless required by applicable law or agreed to in writing, software
12   * distributed under the License is distributed on an "AS IS" BASIS,
13   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14   * See the license for the specific language governing permissions and
15   * limitations under the license.
16   */
17  package org.apache.logging.log4j.core.layout;
18  
19  import java.io.ByteArrayOutputStream;
20  import java.io.IOException;
21  import java.io.ObjectOutputStream;
22  import java.io.OutputStream;
23  
24  import org.apache.logging.log4j.core.Layout;
25  import org.apache.logging.log4j.core.LogEvent;
26  import org.apache.logging.log4j.core.config.Node;
27  import org.apache.logging.log4j.core.config.plugins.Plugin;
28  import org.apache.logging.log4j.core.config.plugins.PluginFactory;
29  
30  /**
31   * Formats a {@link LogEvent} in its Java serialized form.
32   *
33   * @deprecated Java Serialization has inherent security weaknesses, see https://www.owasp.org/index.php/Deserialization_of_untrusted_data .
34   * Using this layout is no longer recommended. An alternative layout containing the same information is
35   * {@link JsonLayout} when configured with properties="true". Deprecated since 2.9.
36   */
37  @Deprecated
38  @Plugin(name = "SerializedLayout", category = Node.CATEGORY, elementType = Layout.ELEMENT_TYPE, printObject = true)
39  public final class SerializedLayout extends AbstractLayout<LogEvent> {
40  
41      private static byte[] serializedHeader;
42  
43      static {
44          final ByteArrayOutputStream baos = new ByteArrayOutputStream();
45          try {
46              new ObjectOutputStream(baos).close();
47              serializedHeader = baos.toByteArray();
48          } catch (final Exception ex) {
49              LOGGER.error("Unable to generate Object stream header", ex);
50          }
51      }
52  
53      private SerializedLayout() {
54          super(null, null, null);
55          LOGGER.warn("SerializedLayout is deprecated due to the inherent security weakness in Java Serialization, see https://www.owasp.org/index.php/Deserialization_of_untrusted_data Consider using another layout, e.g. JsonLayout");
56      }
57  
58      /**
59       * Formats a {@link org.apache.logging.log4j.core.LogEvent} as a serialized byte array of the LogEvent object.
60       *
61       * @param event The LogEvent.
62       * @return the formatted LogEvent.
63       */
64      @Override
65      public byte[] toByteArray(final LogEvent event) {
66          final ByteArrayOutputStream baos = new ByteArrayOutputStream();
67          try (final ObjectOutputStream oos = new PrivateObjectOutputStream(baos)) {
68              oos.writeObject(event);
69              oos.reset();
70          } catch (final IOException ioe) {
71              LOGGER.error("Serialization of LogEvent failed.", ioe);
72          }
73          return baos.toByteArray();
74      }
75  
76      /**
77       * Returns the LogEvent.
78       *
79       * @param event The Logging Event.
80       * @return The LogEvent.
81       */
82      @Override
83      public LogEvent toSerializable(final LogEvent event) {
84          return event;
85      }
86  
87      /**
88       * Creates a SerializedLayout.
89       * @return A SerializedLayout.
90       */
91      @Deprecated
92      @PluginFactory
93      public static SerializedLayout createLayout() {
94          return new SerializedLayout();
95      }
96  
97      @Override
98      public byte[] getHeader() {
99          return serializedHeader;
100     }
101 
102     /**
103      * SerializedLayout returns a binary stream.
104      * @return The content type.
105      */
106     @Override
107     public String getContentType() {
108         return "application/octet-stream";
109     }
110 
111     /**
112      * The stream header will be written in the Manager so skip it here.
113      */
114     private class PrivateObjectOutputStream extends ObjectOutputStream {
115 
116         public PrivateObjectOutputStream(final OutputStream os) throws IOException {
117             super(os);
118         }
119 
120         @Override
121         protected void writeStreamHeader() {
122             // do nothing
123         }
124     }
125 }