...
| Code Block | ||||
|---|---|---|---|---|
| ||||
import java.io.*;
class DeserializeExample {
public static Object deserialize(byte[] buffer) throws IOException, ClassNotFoundException {
Object ret = null;
try (ByteArrayInputStream bais = new ByteArrayInputStream(buffer)) {
try (ObjectInputStream ois = new ObjectInputStream(bais)) {
ret = ois.readObject();
}
}
return ret;
}
} |
...
This compliant solution is based on http://www.ibm.com/developerworks/library/se-lookahead/. It inspects the class of any object being deserialized, before its readObject() method is invoked. The code consequently throws an InvalidClassException unless the object (and all sub-objects) is a GoodClass1 or a GoodClass2. The WhitelistedObjectInputStream class here is compatible with the strategy employed by the compliant solution in SER13-J. Treat data to be deserialized as potentially malicious by default.
| Code Block | ||||
|---|---|---|---|---|
| ||||
import java.io.*;
import java.util.*;
class WhitelistedObjectInputStream extends ObjectInputStream {
public Set whitelist;
public WhitelistedObjectInputStream(InputStream inputStream, Set wl) throws IOException {
super(inputStream);
whitelist = wl;
}
@Override
protected Class<?> resolveClass(ObjectStreamClass cls) throws IOException, ClassNotFoundException {
if (!whitelist.contains(cls.getName())) {
throw new InvalidClassException("Unexpected serialized class", cls.getName());
}
return super.resolveClass(cls);
}
}
class DeserializeExample {
private static Object deserialize(byte[] buffer) throws IOException, ClassNotFoundException {
Object ret = null;
Set whitelist = new HashSet<String>(Arrays.asList(new String[]{"GoodClass1","GoodClass2"}));
try (ByteArrayInputStream bais = new ByteArrayInputStream(buffer)) {
try (WhitelistedObjectInputStream ois = new WhitelistedObjectInputStream(bais, whitelist)) {
ret = ois.readObject();
}
}
return ret;
}
} |
...