Class SaferObjectInputStream

  • All Implemented Interfaces:
    java.io.Closeable, java.io.DataInput, java.io.ObjectInput, java.io.ObjectStreamConstants, java.lang.AutoCloseable

    public class SaferObjectInputStream
    extends java.io.ObjectInputStream
    Default java deserialization is dangerous with untrusted payloads. This subclass of ObjectInputStream accepts a "whitelist" of acceptable classes to load.

    See https://inst.eecs.berkeley.edu/~cs161/fa05/Notes/objectSerialization.pdf

    • Nested Class Summary

      • Nested classes/interfaces inherited from class java.io.ObjectInputStream

        java.io.ObjectInputStream.GetField
    • Field Summary

      Fields 
      Modifier and Type Field Description
      static java.util.Set<java.lang.Class<?>> DEFAULT_WHITELIST
      Default whitelist accepts strings, dates, numbers
      • Fields inherited from interface java.io.ObjectStreamConstants

        baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, SERIAL_FILTER_PERMISSION, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected java.io.ObjectStreamClass readClassDescriptor()  
      • Methods inherited from class java.io.ObjectInputStream

        available, close, defaultReadObject, enableResolveObject, getObjectInputFilter, read, read, readBoolean, readByte, readChar, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveClass, resolveObject, resolveProxyClass, setObjectInputFilter, skipBytes
      • Methods inherited from class java.io.InputStream

        mark, markSupported, nullInputStream, read, readAllBytes, readNBytes, readNBytes, reset, skip, transferTo
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
      • Methods inherited from interface java.io.ObjectInput

        read, skip
    • Field Detail

      • DEFAULT_WHITELIST

        public static final java.util.Set<java.lang.Class<?>> DEFAULT_WHITELIST
        Default whitelist accepts strings, dates, numbers
    • Constructor Detail

      • SaferObjectInputStream

        public SaferObjectInputStream​(java.io.InputStream in)
                               throws java.io.IOException
        Throws:
        java.io.IOException
      • SaferObjectInputStream

        public SaferObjectInputStream​(java.io.InputStream in,
                                      java.util.Set<java.lang.Class<?>> whitelist)
                               throws java.io.IOException
        Throws:
        java.io.IOException
    • Method Detail

      • readClassDescriptor

        protected java.io.ObjectStreamClass readClassDescriptor()
                                                         throws java.io.IOException,
                                                                java.lang.ClassNotFoundException
        Overrides:
        readClassDescriptor in class java.io.ObjectInputStream
        Throws:
        java.io.IOException
        java.lang.ClassNotFoundException