-
Notifications
You must be signed in to change notification settings - Fork 43
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Restrict allowed classes during deserialization of signature files (#253
) * Restrict allowed classes during deserialization of signature files Because signature files are created using Java Serialization, adds a new `SignatureObjectInputStream` which restricts the classes which are allowed to be loaded when reading signature files to increase security.
- Loading branch information
1 parent
b105791
commit 4b5dd40
Showing
7 changed files
with
305 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
59 changes: 59 additions & 0 deletions
59
...al-sniffer/src/main/java/org/codehaus/mojo/animal_sniffer/SignatureObjectInputStream.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
package org.codehaus.mojo.animal_sniffer; | ||
|
||
import java.io.IOException; | ||
import java.io.InputStream; | ||
import java.io.InvalidClassException; | ||
import java.io.ObjectInputStream; | ||
import java.io.ObjectStreamClass; | ||
import java.util.Arrays; | ||
import java.util.Collections; | ||
import java.util.HashSet; | ||
import java.util.Set; | ||
|
||
/** | ||
* {@link ObjectInputStream} subclass which only permits loading classes which are needed | ||
* by signature files. All other classes are rejected for security reasons. | ||
*/ | ||
public class SignatureObjectInputStream extends ObjectInputStream { | ||
private static final Set<String> ALLOWED_CLASS_NAMES = Collections.unmodifiableSet(new HashSet<>(Arrays.asList( | ||
Clazz.class.getName(), | ||
String[].class.getName() | ||
))); | ||
|
||
public SignatureObjectInputStream(InputStream in) throws IOException { | ||
super(in); | ||
} | ||
|
||
// Impose restrictions on allowed classes, see https://wiki.sei.cmu.edu/confluence/display/java/SER12-J.+Prevent+deserialization+of+untrusted+data | ||
@Override | ||
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException { | ||
String className = desc.getName(); | ||
|
||
if (ALLOWED_CLASS_NAMES.contains(className)) { | ||
return super.resolveClass(desc); | ||
} | ||
|
||
Class<?> c; | ||
try { | ||
// Should be safe because default implementation uses `initialize=false`, and this is guaranteed by the Javadoc | ||
c = super.resolveClass(desc); | ||
} catch (ClassNotFoundException classNotFoundException) { | ||
// To be safe throw InvalidClassException instead because all allowed classes should exist on classpath | ||
throw new InvalidClassException(className, "Class not found, probably disallowed class"); | ||
} | ||
|
||
// Also allow Set classes because Clazz has field of type Set | ||
if (isAllowedSetClass(c)) { | ||
return c; | ||
} | ||
|
||
throw new InvalidClassException(className, "Disallowed class for signature data"); | ||
} | ||
|
||
/** | ||
* Check if the class is an allowed implementation of {@link Set}. | ||
*/ | ||
private static boolean isAllowedSetClass(Class<?> c) { | ||
return Set.class.isAssignableFrom(c) && c.getName().startsWith("java.util."); | ||
} | ||
} |
Oops, something went wrong.