Skip to content
Permalink
Browse files
Merge pull request #41 from AlbumenJ/add_default_list
Add Default Deny List
  • Loading branch information
chickenlj committed Jul 28, 2021
2 parents 2e8c940 + 8d49db4 commit bb6ee3b1ea8ceba79ffe3f5aea4af514307275ed
Showing 3 changed files with 259 additions and 7 deletions.
@@ -48,8 +48,17 @@

package com.alibaba.com.caucho.hessian.io;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Pattern;
@@ -61,16 +70,18 @@
{
protected static final Logger log
= Logger.getLogger(ClassFactory.class.getName());
private static ArrayList<Allow> _staticAllowList;
private static final ArrayList<Allow> _staticAllowList;
private static final Map<String, Object> _allowClassSet = new ConcurrentHashMap<>();

private ClassLoader _loader;
private boolean _isWhitelist;

private ArrayList<Allow> _allowList;
private LinkedList<Allow> _allowList;

ClassFactory(ClassLoader loader)
{
_loader = loader;
initAllow();
}

public Class<?> load(String className)
@@ -87,19 +98,26 @@ public Class<?> load(String className)

private boolean isAllow(String className)
{
ArrayList<Allow> allowList = _allowList;
LinkedList<Allow> allowList = _allowList;

if (allowList == null) {
return true;
}

if (_allowClassSet.containsKey(className)) {
return true;
}

int size = allowList.size();
for (int i = 0; i < size; i++) {
Allow allow = allowList.get(i);

Boolean isAllow = allow.allow(className);

if (isAllow != null) {
if (isAllow) {
_allowClassSet.put(className, className);
}
return isAllow;
}
}
@@ -108,31 +126,35 @@ private boolean isAllow(String className)
return false;
}

_allowClassSet.put(className, className);
return true;
}

public void setWhitelist(boolean isWhitelist)
{
_allowClassSet.clear();
_isWhitelist = isWhitelist;

initAllow();
}

public void allow(String pattern)
{
_allowClassSet.clear();
initAllow();

synchronized (this) {
_allowList.add(new Allow(toPattern(pattern), true));
_allowList.addFirst(new Allow(toPattern(pattern), true));
}
}

public void deny(String pattern)
{
_allowClassSet.clear();
initAllow();

synchronized (this) {
_allowList.add(new Allow(toPattern(pattern), false));
_allowList.addFirst(new Allow(toPattern(pattern), false));
}
}

@@ -148,7 +170,7 @@ private void initAllow()
{
synchronized (this) {
if (_allowList == null) {
_allowList = new ArrayList<Allow>();
_allowList = new LinkedList<Allow>();
_allowList.addAll(_staticAllowList);
}
}
@@ -158,6 +180,9 @@ static class Allow {
private Boolean _isAllow;
private Pattern _pattern;

public Allow() {
}

private Allow(String pattern, boolean isAllow)
{
_isAllow = isAllow;
@@ -175,9 +200,61 @@ Boolean allow(String className)
}
}

static class AllowPrefix extends Allow {
private Boolean _isAllow;
private String _prefix;

private AllowPrefix(String prefix, boolean isAllow)
{
super();
_isAllow = isAllow;
_prefix = prefix;
}

@Override
Boolean allow(String className)
{
if (className.startsWith(_prefix)) {
return _isAllow;
}
else {
return null;
}
}
}

static {
_staticAllowList = new ArrayList<Allow>();

_staticAllowList.add(new Allow("java\\..+", true));
ClassLoader classLoader = ClassFactory.class.getClassLoader();
try {
String[] denyClasses = readLines(classLoader.getResourceAsStream("DENY_CLASS"));
for (String denyClass : denyClasses) {
if (denyClass.startsWith("#")) {
continue;
}
_staticAllowList.add(new AllowPrefix(denyClass, false));
}
} catch (IOException ignore) {

}
}

/**
* read lines.
*
* @param is input stream.
* @return lines.
* @throws IOException If an I/O error occurs
*/
public static String[] readLines(InputStream is) throws IOException {
List<String> lines = new ArrayList<String>();
try (BufferedReader reader = new BufferedReader(new InputStreamReader(is))) {
String line;
while ((line = reader.readLine()) != null) {
lines.add(line);
}
return lines.toArray(new String[0]);
}
}
}
@@ -0,0 +1,124 @@
#
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
#
bsh.
ch.qos.logback.core.db.
clojure.
com.alibaba.citrus.springext.support.parser.
com.alibaba.citrus.springext.util.SpringExtUtil.
com.alibaba.druid.pool.
com.alibaba.hotcode.internal.org.apache.commons.collections.functors.
com.alipay.custrelation.service.model.redress.
com.alipay.oceanbase.obproxy.druid.pool.
com.caucho.config.types.
com.caucho.hessian.test.
com.caucho.naming.
com.ibm.jtc.jax.xml.bind.v2.runtime.unmarshaller.
com.ibm.xltxe.rnm1.xtq.bcel.util.
com.mchange.v2.c3p0.
com.mysql.jdbc.util.
com.rometools.rome.feed.
com.sun.corba.se.impl.
com.sun.corba.se.spi.orbutil.
com.sun.jndi.rmi.
com.sun.jndi.toolkit.
com.sun.org.apache.bcel.internal.
com.sun.org.apache.xalan.internal.
com.sun.rowset.
com.sun.xml.internal.bind.v2.
com.taobao.vipserver.commons.collections.functors.
groovy.lang.
java.beans.
java.lang.ProcessBuilder
java.lang.Runtime
java.rmi.server.
java.security.
java.util.ServiceLoader
javassist.bytecode.annotation.
javassist.tools.web.Viewer
javassist.util.proxy.
javax.imageio.
javax.imageio.spi.
javax.management.
javax.media.jai.remote.
javax.naming.
javax.script.
javax.sound.sampled.
javax.xml.transform.
net.bytebuddy.dynamic.loading.
oracle.jdbc.connector.
oracle.jdbc.pool.
org.apache.aries.transaction.jms.
org.apache.bcel.util.
org.apache.carbondata.core.scan.expression.
org.apache.commons.beanutils.
org.apache.commons.codec.binary.
org.apache.commons.collections.functors.
org.apache.commons.collections4.functors.
org.apache.commons.configuration.
org.apache.commons.configuration2.
org.apache.commons.dbcp.datasources.
org.apache.commons.dbcp2.datasources.
org.apache.commons.fileupload.disk.
org.apache.ibatis.executor.loader.
org.apache.ibatis.javassist.bytecode.
org.apache.ibatis.javassist.tools.
org.apache.ibatis.javassist.util.
org.apache.ignite.cache.
org.apache.log.output.db.
org.apache.log4j.receivers.db.
org.apache.myfaces.view.facelets.el.
org.apache.openjpa.ee.
org.apache.openjpa.ee.
org.apache.shiro.
org.apache.tomcat.dbcp.
org.apache.velocity.runtime.
org.apache.velocity.
org.apache.wicket.util.
org.apache.xalan.xsltc.trax.
org.apache.xbean.naming.context.
org.apache.xpath.
org.apache.zookeeper.
org.aspectj.apache.bcel.util.
org.codehaus.groovy.runtime.
org.datanucleus.store.rdbms.datasource.dbcp.datasources.
org.eclipse.jetty.util.log.
org.geotools.filter.
org.h2.value.
org.hibernate.tuple.component.
org.hibernate.type.
org.jboss.ejb3.
org.jboss.proxy.ejb.
org.jboss.resteasy.plugins.server.resourcefactory.
org.jboss.weld.interceptor.builder.
org.mockito.internal.creation.cglib.
org.mortbay.log.
org.quartz.
org.springframework.aop.aspectj.
org.springframework.beans.BeanWrapperImpl$BeanPropertyHandler
org.springframework.beans.factory.
org.springframework.expression.spel.
org.springframework.jndi.
org.springframework.orm.
org.springframework.transaction.
org.yaml.snakeyaml.tokens.
pstore.shaded.org.apache.commons.collections.
sun.rmi.server.
sun.rmi.transport.
weblogic.ejb20.internal.
weblogic.jms.common.
@@ -0,0 +1,51 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.alibaba.com.caucho.hessian.io;

import org.junit.Assert;
import org.junit.Test;

import java.lang.reflect.Array;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;

public class DenyListTest {

@Test
public void testDeny() throws ClassNotFoundException {
ClassFactory classFactory = new ClassFactory(this.getClass().getClassLoader());
Assert.assertEquals(HashMap.class, classFactory.load("java.lang.Runtime"));
Assert.assertEquals(HashMap.class, classFactory.load("java.beans.A"));
Assert.assertEquals(HashMap.class, classFactory.load("java.beans.B"));
Assert.assertEquals(HashMap.class, classFactory.load("java.beans.C"));
Assert.assertEquals(HashMap.class, classFactory.load("java.beans.D"));
Assert.assertEquals(HashMap.class, classFactory.load("java.beans.E"));
}

@Test
public void testAllow() throws ClassNotFoundException {
ClassFactory classFactory = new ClassFactory(this.getClass().getClassLoader());
Assert.assertEquals(Integer.class, classFactory.load(Integer.class.getName()));
Assert.assertEquals(Long.class, classFactory.load(Long.class.getName()));
Assert.assertEquals(TestClass.class, classFactory.load(TestClass.class.getName()));
Assert.assertEquals(DenyListTest.class, classFactory.load(DenyListTest.class.getName()));
Assert.assertEquals(List.class, classFactory.load(List.class.getName()));
Assert.assertEquals(Array.class, classFactory.load(Array.class.getName()));
Assert.assertEquals(LinkedList.class, classFactory.load(LinkedList.class.getName()));
}
}

0 comments on commit bb6ee3b

Please sign in to comment.