Repository: incubator-batchee Updated Branches: refs/heads/master 93e36df30 -> cfd133c30
BATCHEE-74 blacklisting org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan in TCCLObjectInputStream Project: http://git-wip-us.apache.org/repos/asf/incubator-batchee/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-batchee/commit/cfd133c3 Tree: http://git-wip-us.apache.org/repos/asf/incubator-batchee/tree/cfd133c3 Diff: http://git-wip-us.apache.org/repos/asf/incubator-batchee/diff/cfd133c3 Branch: refs/heads/master Commit: cfd133c309c21a82fb24cfcc9a7c2365aee4678a Parents: 93e36df Author: Romain Manni-Bucau <[email protected]> Authored: Fri Nov 27 12:50:47 2015 +0100 Committer: Romain Manni-Bucau <[email protected]> Committed: Fri Nov 27 12:50:47 2015 +0100 ---------------------------------------------------------------------- .../container/util/TCCLObjectInputStream.java | 25 +++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-batchee/blob/cfd133c3/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java ---------------------------------------------------------------------- diff --git a/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java b/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java index b88bc6f..e93e7bc 100755 --- a/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java +++ b/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java @@ -23,6 +23,10 @@ import java.io.ObjectStreamClass; import java.lang.reflect.Proxy; public class TCCLObjectInputStream extends ObjectInputStream { + private static final BlacklistClassResolver BLACKLIST_CLASSES = new BlacklistClassResolver(System.getProperty( + "batchee.BlacklistClassResolver", + "org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan").split(" *, *")); + private final ClassLoader tccl; public TCCLObjectInputStream(final InputStream in) throws IOException { @@ -32,7 +36,7 @@ public class TCCLObjectInputStream extends ObjectInputStream { @Override protected Class<?> resolveClass(final ObjectStreamClass desc) throws ClassNotFoundException { - return Class.forName(desc.getName(), false, tccl); + return Class.forName(BLACKLIST_CLASSES.check(desc.getName()), false, tccl); } @Override @@ -48,4 +52,23 @@ public class TCCLObjectInputStream extends ObjectInputStream { throw new ClassNotFoundException(null, e); } } + + private static final class BlacklistClassResolver { + private final String[] blacklist; + + protected BlacklistClassResolver(final String[] blacklist) { + this.blacklist = blacklist; + } + + public final String check(final String name) { + if (blacklist != null) { + for (final String white : blacklist) { + if (name.startsWith(white)) { + throw new SecurityException(name + " is not whitelisted as deserialisable, prevented before loading."); + } + } + } + return name; + } + } }
