Skip to content
Permalink
Browse files
BATCHEE-74 blacklisting org.codehaus.groovy.runtime.,org.apache.commo…
…ns.collections.functors.,org.apache.xalan in TCCLObjectInputStream
  • Loading branch information
Romain Manni-Bucau committed Nov 27, 2015
1 parent 93e36df commit cfd133c309c21a82fb24cfcc9a7c2365aee4678a
Showing 1 changed file with 24 additions and 1 deletion.
@@ -23,6 +23,10 @@
import java.lang.reflect.Proxy;

public class TCCLObjectInputStream extends ObjectInputStream {
private static final BlacklistClassResolver BLACKLIST_CLASSES = new BlacklistClassResolver(System.getProperty(
"batchee.BlacklistClassResolver",
"org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan").split(" *, *"));

private final ClassLoader tccl;

public TCCLObjectInputStream(final InputStream in) throws IOException {
@@ -32,7 +36,7 @@ public TCCLObjectInputStream(final InputStream in) throws IOException {

@Override
protected Class<?> resolveClass(final ObjectStreamClass desc) throws ClassNotFoundException {
return Class.forName(desc.getName(), false, tccl);
return Class.forName(BLACKLIST_CLASSES.check(desc.getName()), false, tccl);
}

@Override
@@ -48,4 +52,23 @@ protected Class resolveProxyClass(final String[] interfaces) throws IOException,
throw new ClassNotFoundException(null, e);
}
}

private static final class BlacklistClassResolver {
private final String[] blacklist;

protected BlacklistClassResolver(final String[] blacklist) {
this.blacklist = blacklist;
}

public final String check(final String name) {
if (blacklist != null) {
for (final String white : blacklist) {
if (name.startsWith(white)) {
throw new SecurityException(name + " is not whitelisted as deserialisable, prevented before loading.");
}
}
}
return name;
}
}
}

0 comments on commit cfd133c

Please sign in to comment.