...
| Code Block | ||||
|---|---|---|---|---|
| ||||
class LookAheadObjectInputStream extends ObjectInputStream {
public LookAheadObjectInputStream(InputStream inputStream) throws IOException {
super(inputStream);
}
@Override
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
switch (desc.getName()) {
case "GoodClass1": break;
case "GoodClass2": break;
default:
throw new InvalidClassException("Unexpected serialized class", desc.getName());
}
return super.resolveClass(desc);
}
}
class DeserializeExample {
private static Object deserialize(byte[] buffer) throws IOException, ClassNotFoundException {
Object ret = null;
try (ByteArrayInputStream bais = new ByteArrayInputStream(buffer)) {
try (LookAheadObjectInputStream ois = new LookAheadObjectInputStream(bais)) {
ret = ois.readObject();
}
}
return ret;
}
} |
Exceptions
SER12-J-EX1. Trusted serialized data does not need be validatedEX0: Serialized data from a trusted input source does not require validation, provided that the code has clear documentation clearly documents that it relies on the serialized data input source being trustedtrustworthy. For For example, if a library is being audited, a routine of that library may have a documented precondition that its callers pre-validate any passed-in serialized data.
...