diff options
Diffstat (limited to 'eaaf_core_utils/src/main/java/at')
2 files changed, 121 insertions, 21 deletions
| diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafObjectInputStream.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafObjectInputStream.java index e15c7a37..1924e165 100644 --- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafObjectInputStream.java +++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafObjectInputStream.java @@ -5,35 +5,87 @@ import java.io.InputStream;  import java.io.InvalidClassException;  import java.io.ObjectInputStream;  import java.io.ObjectStreamClass; -import java.util.List; +import java.util.Set;  import javax.annotation.Nonnull; +/** + * Java Object stream implementation with some harding features. + *  + * @author tlenz + * + */  public class EaafObjectInputStream extends ObjectInputStream { -  private List<String> allowedClassNames; -   +  private final Set<Class<?>> allowedClassNames; +  private final Class<?> firstClassType; +  private final Mode modeOfOperation; +  private int objectDeep = 0; +    /**     * Object input-stream with internal class validation. -   *  -   * @param is Inputstream to deserialize. -   * @param classNames Whitelisted classnames  +   * +   * @param is              Inputstream to deserialize. +   * @param initalClassType First class type that was found +   * @param classes         Whitelisted classnames +   * @param mode            Operation mode for allowed class checking     * @throws IOException In case of an error -   */  -  public EaafObjectInputStream(@Nonnull InputStream is, @Nonnull List<String> classNames) throws IOException { +   */ +  public EaafObjectInputStream(@Nonnull InputStream is, @Nonnull Set<Class<?>> classes, +      Class<?> initalClassType, Mode mode) +      throws IOException {      super(is); -    this.allowedClassNames = classNames; -     +    this.allowedClassNames = classes; +    this.firstClassType = initalClassType; +    this.modeOfOperation = mode; +    } -  //Only deserialize instances of our expected class +  // Only deserialize instances of our expected class    @Override    protected Class<?> resolveClass(ObjectStreamClass desc)        throws IOException, ClassNotFoundException { -    if (!allowedClassNames.contains(desc.getName())) { -      throw new InvalidClassException("Unauthorized deserialization attempt: {}",desc.getName()); -       +    if (Mode.STRICT.equals(modeOfOperation) && !isValidClass(desc.getName())) { +      throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName()); + +    } else if (Mode.TYPE_SPECIFIC.equals(modeOfOperation)) { +      final Class<?> clazz = super.resolveClass(desc); +      if (objectDeep == 0 && !firstClassType.isAssignableFrom(clazz)) { +        throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName()); + +      } else if (objectDeep > 0 +          && !(isValidClassType(clazz) || Object.class.getName().equals(desc.getName()))) { +        throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName()); + +      } else { +        objectDeep++; +        return clazz; + +      } + +    } else { +      return super.resolveClass(desc); +      } -    return super.resolveClass(desc); +  } + +  private boolean isValidClass(String classToDeserialize) { +    return allowedClassNames.stream() +        .filter(el -> el.getName().equals(classToDeserialize)) +        .findFirst() +        .isPresent(); + +  } + +  private boolean isValidClassType(Class<?> clazzToCheck) { +    return allowedClassNames.stream() +        .filter(el -> el.isAssignableFrom(clazzToCheck)) +        .findFirst() +        .isPresent(); + +  } + +  enum Mode { +    STRICT, TYPE_SPECIFIC    }  } diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafSerializationUtils.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafSerializationUtils.java index e15c6800..efb4c9be 100644 --- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafSerializationUtils.java +++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/EaafSerializationUtils.java @@ -5,10 +5,12 @@ import java.io.ByteArrayOutputStream;  import java.io.IOException;  import java.io.ObjectInputStream;  import java.io.ObjectOutputStream; -import java.util.List; +import java.util.Set;  import org.springframework.lang.Nullable; +import at.gv.egiz.eaaf.core.impl.utils.EaafObjectInputStream.Mode; +  public class EaafSerializationUtils {    private EaafSerializationUtils() { @@ -42,20 +44,65 @@ public class EaafSerializationUtils {    }    /** -   * Deserialize the byte array into an object. +   * Deserialize the byte array into an object with strict allow-list of classes. +   * +   * <p> +   * Allow all classes that exact match to elements in allow-list. +   * </p>     * -   * @param bytes a serialized object -   * @param allowedClassName List of classnames that are allowed for deserialization +   * @param bytes            a serialized object +   * @param allowedClassName List of classnames that are explicit allowed for +   *                         deserialization     * @return the result of deserializing the bytes     */    @Nullable -  public static Object deserialize(@Nullable byte[] bytes, List<String> allowedClassName) { +  public static Object strictDeserialize(@Nullable byte[] bytes, Set<Class<?>> allowedClassName) { +    if (bytes == null) { +      return null; + +    } + +    try (ObjectInputStream ois = new EaafObjectInputStream(new ByteArrayInputStream(bytes), +        allowedClassName, null, Mode.STRICT)) { +      return ois.readObject(); + +    } catch (final IOException ex) { +      throw new IllegalArgumentException("Failed to deserialize object", ex); + +    } catch (final ClassNotFoundException ex) { +      throw new IllegalStateException("Failed to deserialize object type", ex); + +    } +  } + +  /** +   * Deserialize the byte array into an object with type-specific allow-list of +   * classes. +   * +   * <p> +   * Allow all classes that the same or a super-type of elements in +   * allow-list.<br> +   * <b>Hint:</b> Do NOT set {@link Object} as allowed class, because any class is +   * an super-type of {@link Object}. This method implementation allows +   * {@link Object} as explicit type with strict check-mode. +   * </p> +   * +   * @param bytes            a serialized object +   * @param allowedClassName List of classes that are explicit allowed for +   *                         deserialization +   * @param initalClassType  First / Initial class type that are required +   * @return the result of deserializing the bytes +   */ +  @Nullable +  public static Object typeSpecificDeserialize(@Nullable byte[] bytes, Set<Class<?>> allowedClassName, +      Class<?> initalClassType) {      if (bytes == null) {        return null;      }     -    try (ObjectInputStream ois = new EaafObjectInputStream(new ByteArrayInputStream(bytes), allowedClassName)) { +    try (ObjectInputStream ois = new EaafObjectInputStream(new ByteArrayInputStream(bytes), +        allowedClassName, initalClassType, Mode.TYPE_SPECIFIC)) {        return ois.readObject();      } catch (final IOException ex) { @@ -66,4 +113,5 @@ public class EaafSerializationUtils {      }    } +  } | 
