Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Java] Add class checker API #890

Merged
merged 8 commits into from
Aug 31, 2023
Merged

[Java] Add class checker API #890

merged 8 commits into from
Aug 31, 2023

Conversation

chaokunyang
Copy link
Collaborator

@chaokunyang chaokunyang commented Aug 30, 2023
edited
Loading

What do these changes do?

Add class checker API and white/black list based implementation.

Example:

{
      Fury fury = Fury.builder().requireClassRegistration(false).build();
      AllowListChecker checker = new AllowListChecker(AllowListChecker.CheckLevel.STRICT);
      fury.getClassResolver().setClassChecker(checker);
      checker.addListener(fury.getClassResolver());
      assertThrows(InsecureException.class, () -> fury.serialize(new AllowListCheckerTest()));
      checker.allowClass("io.fury.*");
      fury.serialize(new AllowListCheckerTest());
      checker.disallowClass("io.fury.*");
      assertThrows(InsecureException.class, () -> fury.serialize(new AllowListCheckerTest()));
 }
{
      Fury fury = Fury.builder().requireClassRegistration(false).build();
      AllowListChecker checker = new AllowListChecker(AllowListChecker.CheckLevel.WARN);
      fury.getClassResolver().setClassChecker(checker);
      checker.addListener(fury.getClassResolver());
      fury.serialize(new AllowListCheckerTest());
      checker.disallowClass("io.fury.*");
      assertThrows(InsecureException.class, () -> fury.serialize(new AllowListCheckerTest()));
    }
{
    AllowListChecker checker = new AllowListChecker(AllowListChecker.CheckLevel.STRICT);
    ThreadSafeFury fury = new ThreadLocalFury(classLoader -> {
      Fury f = Fury.builder().requireClassRegistration(false).withClassLoader(classLoader).build();
      f.getClassResolver().setClassChecker(checker);
      checker.addListener(f.getClassResolver());
      return f;
    });
    checker.allowClass("io.fury.*");
    fury.serialize(new AllowListCheckerTest());
    checker.disallowClass("io.fury.*");
    assertThrows(InsecureException.class, () -> fury.serialize(new AllowListCheckerTest()));
}

Related issue number

Closes #891

Check code requirements

  • tests added / passed (if needed)
  • Ensure all linting tests pass, see here for how to run them

@chaokunyang chaokunyang merged commit 68787a3 into apache:main Aug 31, 2023
11 checks passed
chaokunyang added a commit that referenced this pull request Aug 31, 2023
@chaokunyang
[Java] Add class checker API (#890)
285cb4c 
* add class check API

* add white/black list based class checker

* refine class checker

* add missing header

* refine documentation

* refine documentation

* add deserialize tests

* refine security warning message
@chaokunyang chaokunyang mentioned this pull request Sep 1, 2023
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Java] Allow customize which classes are allowed for serialization
1 participant
@chaokunyang