summaryrefslogtreecommitdiff
path: root/eaaf_core_utils/src/main
diff options
context:
space:
mode:
authorThomas <>2023-05-15 08:32:34 +0200
committerThomas <>2023-05-15 08:32:34 +0200
commit45a7ae26f0172c636e42b530561eb11efa0083d5 (patch)
treedcb4d604bac49e723f9cf780f43254bb229d803f /eaaf_core_utils/src/main
parent54f16e552a3d6c5579282de5c8d6a92395f6c049 (diff)
downloadEAAF-Components-45a7ae26f0172c636e42b530561eb11efa0083d5.tar.gz
EAAF-Components-45a7ae26f0172c636e42b530561eb11efa0083d5.tar.bz2
EAAF-Components-45a7ae26f0172c636e42b530561eb11efa0083d5.zip
feat(utils): optimize custom Java serialization implementation
Diffstat (limited to 'eaaf_core_utils/src/main')
-rw-r--r--eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafObjectInputStream.java82
-rw-r--r--eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafSerializationUtils.java60
2 files changed, 121 insertions, 21 deletions
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafObjectInputStream.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafObjectInputStream.java
index e15c7a37..1924e165 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafObjectInputStream.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafObjectInputStream.java
@@ -5,35 +5,87 @@ import java.io.InputStream;
import java.io.InvalidClassException;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;
-import java.util.List;
+import java.util.Set;
import javax.annotation.Nonnull;
+/**
+ * Java Object stream implementation with some harding features.
+ *
+ * @author tlenz
+ *
+ */
public class EaafObjectInputStream extends ObjectInputStream {
- private List<String> allowedClassNames;
-
+ private final Set<Class<?>> allowedClassNames;
+ private final Class<?> firstClassType;
+ private final Mode modeOfOperation;
+ private int objectDeep = 0;
+
/**
* Object input-stream with internal class validation.
- *
- * @param is Inputstream to deserialize.
- * @param classNames Whitelisted classnames
+ *
+ * @param is Inputstream to deserialize.
+ * @param initalClassType First class type that was found
+ * @param classes Whitelisted classnames
+ * @param mode Operation mode for allowed class checking
* @throws IOException In case of an error
- */
- public EaafObjectInputStream(@Nonnull InputStream is, @Nonnull List<String> classNames) throws IOException {
+ */
+ public EaafObjectInputStream(@Nonnull InputStream is, @Nonnull Set<Class<?>> classes,
+ Class<?> initalClassType, Mode mode)
+ throws IOException {
super(is);
- this.allowedClassNames = classNames;
-
+ this.allowedClassNames = classes;
+ this.firstClassType = initalClassType;
+ this.modeOfOperation = mode;
+
}
- //Only deserialize instances of our expected class
+ // Only deserialize instances of our expected class
@Override
protected Class<?> resolveClass(ObjectStreamClass desc)
throws IOException, ClassNotFoundException {
- if (!allowedClassNames.contains(desc.getName())) {
- throw new InvalidClassException("Unauthorized deserialization attempt: {}",desc.getName());
-
+ if (Mode.STRICT.equals(modeOfOperation) && !isValidClass(desc.getName())) {
+ throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
+
+ } else if (Mode.TYPE_SPECIFIC.equals(modeOfOperation)) {
+ final Class<?> clazz = super.resolveClass(desc);
+ if (objectDeep == 0 && !firstClassType.isAssignableFrom(clazz)) {
+ throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
+
+ } else if (objectDeep > 0
+ && !(isValidClassType(clazz) || Object.class.getName().equals(desc.getName()))) {
+ throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
+
+ } else {
+ objectDeep++;
+ return clazz;
+
+ }
+
+ } else {
+ return super.resolveClass(desc);
+
}
- return super.resolveClass(desc);
+ }
+
+ private boolean isValidClass(String classToDeserialize) {
+ return allowedClassNames.stream()
+ .filter(el -> el.getName().equals(classToDeserialize))
+ .findFirst()
+ .isPresent();
+
+ }
+
+ private boolean isValidClassType(Class<?> clazzToCheck) {
+ return allowedClassNames.stream()
+ .filter(el -> el.isAssignableFrom(clazzToCheck))
+ .findFirst()
+ .isPresent();
+
+ }
+
+ enum Mode {
+ STRICT, TYPE_SPECIFIC
}
}
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafSerializationUtils.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafSerializationUtils.java
index e15c6800..efb4c9be 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafSerializationUtils.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafSerializationUtils.java
@@ -5,10 +5,12 @@ import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
-import java.util.List;
+import java.util.Set;
import org.springframework.lang.Nullable;
+import at.gv.egiz.eaaf.core.impl.utils.EaafObjectInputStream.Mode;
+
public class EaafSerializationUtils {
private EaafSerializationUtils() {
@@ -42,20 +44,65 @@ public class EaafSerializationUtils {
}
/**
- * Deserialize the byte array into an object.
+ * Deserialize the byte array into an object with strict allow-list of classes.
+ *
+ * <p>
+ * Allow all classes that exact match to elements in allow-list.
+ * </p>
*
- * @param bytes a serialized object
- * @param allowedClassName List of classnames that are allowed for deserialization
+ * @param bytes a serialized object
+ * @param allowedClassName List of classnames that are explicit allowed for
+ * deserialization
* @return the result of deserializing the bytes
*/
@Nullable
- public static Object deserialize(@Nullable byte[] bytes, List<String> allowedClassName) {
+ public static Object strictDeserialize(@Nullable byte[] bytes, Set<Class<?>> allowedClassName) {
+ if (bytes == null) {
+ return null;
+
+ }
+
+ try (ObjectInputStream ois = new EaafObjectInputStream(new ByteArrayInputStream(bytes),
+ allowedClassName, null, Mode.STRICT)) {
+ return ois.readObject();
+
+ } catch (final IOException ex) {
+ throw new IllegalArgumentException("Failed to deserialize object", ex);
+
+ } catch (final ClassNotFoundException ex) {
+ throw new IllegalStateException("Failed to deserialize object type", ex);
+
+ }
+ }
+
+ /**
+ * Deserialize the byte array into an object with type-specific allow-list of
+ * classes.
+ *
+ * <p>
+ * Allow all classes that the same or a super-type of elements in
+ * allow-list.<br>
+ * <b>Hint:</b> Do NOT set {@link Object} as allowed class, because any class is
+ * an super-type of {@link Object}. This method implementation allows
+ * {@link Object} as explicit type with strict check-mode.
+ * </p>
+ *
+ * @param bytes a serialized object
+ * @param allowedClassName List of classes that are explicit allowed for
+ * deserialization
+ * @param initalClassType First / Initial class type that are required
+ * @return the result of deserializing the bytes
+ */
+ @Nullable
+ public static Object typeSpecificDeserialize(@Nullable byte[] bytes, Set<Class<?>> allowedClassName,
+ Class<?> initalClassType) {
if (bytes == null) {
return null;
}
- try (ObjectInputStream ois = new EaafObjectInputStream(new ByteArrayInputStream(bytes), allowedClassName)) {
+ try (ObjectInputStream ois = new EaafObjectInputStream(new ByteArrayInputStream(bytes),
+ allowedClassName, initalClassType, Mode.TYPE_SPECIFIC)) {
return ois.readObject();
} catch (final IOException ex) {
@@ -66,4 +113,5 @@ public class EaafSerializationUtils {
}
}
+
}