Class SaferObjectInputStream
- java.lang.Object
-
- java.io.InputStream
-
- java.io.ObjectInputStream
-
- com.inductiveautomation.ignition.common.util.SaferObjectInputStream
-
- All Implemented Interfaces:
java.io.Closeable
,java.io.DataInput
,java.io.ObjectInput
,java.io.ObjectStreamConstants
,java.lang.AutoCloseable
public class SaferObjectInputStream extends java.io.ObjectInputStream
Default java deserialization is dangerous with untrusted payloads. This subclass of ObjectInputStream accepts a "whitelist" of acceptable classes to load. See https://inst.eecs.berkeley.edu/~cs161/fa05/Notes/objectSerialization.pdf
-
-
Field Summary
Fields Modifier and Type Field Description static java.util.Set<java.lang.Class<?>>
DEFAULT_WHITELIST
Default whitelist accepts strings, dates, numbers-
Fields inherited from interface java.io.ObjectStreamConstants
baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, SERIAL_FILTER_PERMISSION, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING
-
-
Constructor Summary
Constructors Constructor Description SaferObjectInputStream(java.io.InputStream in)
SaferObjectInputStream(java.io.InputStream in, java.util.Set<java.lang.Class<?>> whitelist)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected java.io.ObjectStreamClass
readClassDescriptor()
-
Methods inherited from class java.io.ObjectInputStream
available, close, defaultReadObject, enableResolveObject, getObjectInputFilter, read, read, readBoolean, readByte, readChar, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveClass, resolveObject, resolveProxyClass, setObjectInputFilter, skipBytes
-
Methods inherited from class java.io.InputStream
mark, markSupported, nullInputStream, read, readAllBytes, readNBytes, readNBytes, reset, skip, transferTo
-
-
-
-
Constructor Detail
-
SaferObjectInputStream
public SaferObjectInputStream(java.io.InputStream in) throws java.io.IOException
- Throws:
java.io.IOException
-
SaferObjectInputStream
public SaferObjectInputStream(java.io.InputStream in, java.util.Set<java.lang.Class<?>> whitelist) throws java.io.IOException
- Throws:
java.io.IOException
-
-