Package com.inductiveautomation.ignition.common.util

Class SaferObjectInputStream

java.lang.Object

java.io.InputStream

java.io.ObjectInputStream

com.inductiveautomation.ignition.common.util.SaferObjectInputStream

All Implemented Interfaces:

Closeable, DataInput, ObjectInput, ObjectStreamConstants, AutoCloseable

public class SaferObjectInputStream
extends ObjectInputStream

Default java deserialization is dangerous with untrusted payloads. This subclass of ObjectInputStream accepts a "whitelist" of acceptable classes to load.

See https://inst.eecs.berkeley.edu/~cs161/fa05/Notes/objectSerialization.pdf

Nested Class Summary

Nested classes/interfaces inherited from class java.io.ObjectInputStream

ObjectInputStream.GetField

Field Summary

Fields

Modifier and Type	Field	Description
static final Set<Class<?>>	DEFAULT_WHITELIST	Default whitelist accepts strings, dates, numbers

Fields inherited from interface java.io.ObjectStreamConstants

baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, SERIAL_FILTER_PERMISSION, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING

Constructor Summary

Constructors

Constructor	Description
SaferObjectInputStream(InputStream in)
SaferObjectInputStream(InputStream in, Set<Class<?>> whitelist)

Method Summary

Modifier and Type	Method	Description
protected ObjectStreamClass	readClassDescriptor()

Methods inherited from class java.io.ObjectInputStream

available, close, defaultReadObject, enableResolveObject, getObjectInputFilter, read, read, readBoolean, readByte, readChar, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveClass, resolveObject, resolveProxyClass, setObjectInputFilter, skipBytes

Methods inherited from class java.io.InputStream

mark, markSupported, nullInputStream, read, readAllBytes, readNBytes, readNBytes, reset, skip, skipNBytes, transferTo

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface java.io.ObjectInput

read, skip

Field Details

DEFAULT_WHITELIST

public static final Set<Class<?>> DEFAULT_WHITELIST

Default whitelist accepts strings, dates, numbers

Constructor Details

SaferObjectInputStream

public SaferObjectInputStream(InputStream in)
                       throws IOException

Throws:

IOException

SaferObjectInputStream

public SaferObjectInputStream(InputStream in,
 Set<Class<?>> whitelist)
                       throws IOException

Throws:

IOException

Method Details

readClassDescriptor

protected ObjectStreamClass readClassDescriptor()
                                         throws IOException,
ClassNotFoundException

Overrides:

readClassDescriptor in class ObjectInputStream

Throws:

IOException

ClassNotFoundException