Re: svn commit: r1853691 - in /ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util: ObjectInputStream.java SafeObjectInputStream.java UtilObject.java

2019-02-17 Thread Jacques Le Roux

It's fixed so far, I have added a warning

Jacques

Le 17/02/2019 à 12:09, Jacques Le Roux a écrit :

Hi,

There is a problem with this commit, I'm working on it...

Jacques

Le 16/02/2019 à 10:42, jler...@apache.org a écrit :

Author: jleroux
Date: Sat Feb 16 09:42:03 2019
New Revision: 1853691

URL: http://svn.apache.org/viewvc?rev=1853691=rev
Log:
Improved: Improve ObjectInputStream class
(OFBIZ-10837)

As reported by FindBugs and Sonar, it's troubling (a Bad practice in Sonar[1],
a code smell in Findbugs[2]) when extending to use the same name than the
extended Object

[1] 
https://sbforge.org/sonar/rules/show/findbugs:NM_SAME_SIMPLE_NAME_AS_SUPERCLASS?layout=false
[2] https://logging.apache.org/log4j/log4j-2.2/log4j-jul/findbugs.html

Added:
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
 (with props)
Removed:
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/ObjectInputStream.java
Modified:
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java

Added: 
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
URL: 
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java?rev=1853691=auto

==
--- 
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
 (added)
+++ 
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
 Sat Feb 16 09:42:03 2019
@@ -0,0 +1,86 @@
+/***
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ 
***/
+package org.apache.ofbiz.base.util;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectStreamClass;
+import java.lang.reflect.Proxy;
+import java.util.List;
+import java.util.regex.Pattern;
+
+/**
+ * ObjectInputStream
+ *
+ */
+public class SafeObjectInputStream extends java.io.ObjectInputStream 
implements AutoCloseable {
+
+    private ClassLoader classloader;
+    private Pattern WHITELIST_PATTERN = null;
+
+    public SafeObjectInputStream(InputStream in, ClassLoader loader) throws 
IOException {
+    super(in);
+    this.classloader = loader;
+    }
+
+    public SafeObjectInputStream(InputStream in, ClassLoader loader, 
List whitelist) throws IOException {
+    super(in);
+    this.classloader = loader;
+    StringBuilder bld = new StringBuilder("(");
+    for (int i = 0; i < whitelist.size(); i++) {
+    bld.append(whitelist.get(i));
+    if (i != whitelist.size() - 1) {
+    bld.append("|");
+    }
+    }
+    bld.append(")");
+    WHITELIST_PATTERN = Pattern.compile(bld.toString());
+    }
+
+
+    /**
+ * @see java.io.ObjectInputStream#resolveClass(java.io.ObjectStreamClass)
+ */
+    @Override
+    protected Class resolveClass(ObjectStreamClass classDesc) throws 
IOException, ClassNotFoundException {
+    if (!WHITELIST_PATTERN.matcher(classDesc.getName()).find()) {
+    throw new ClassCastException("Incompatible class: " + 
classDesc.getName());
+    }
+
+    return ObjectType.loadClass(classDesc.getName(), classloader);
+    }
+
+    /**
+ * @see java.io.ObjectInputStream#resolveProxyClass(java.lang.String[])
+ */
+    @Override
+    protected Class resolveProxyClass(String[] interfaces) throws 
IOException, ClassNotFoundException {
+    Class[] cinterfaces = new Class[interfaces.length];
+    for (int i = 0; i < interfaces.length; i++) {
+    cinterfaces[i] = classloader.loadClass(interfaces[i]);
+    }
+
+    try {
+    return Proxy.getProxyClass(classloader, cinterfaces);
+    } catch (IllegalArgumentException e) {
+    throw new ClassNotFoundException(null, e);
+    }
+
+    }
+}

Propchange: 

Re: svn commit: r1853691 - in /ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util: ObjectInputStream.java SafeObjectInputStream.java UtilObject.java

2019-02-17 Thread Jacques Le Roux

Hi,

There is a problem with this commit, I'm working on it...

Jacques

Le 16/02/2019 à 10:42, jler...@apache.org a écrit :

Author: jleroux
Date: Sat Feb 16 09:42:03 2019
New Revision: 1853691

URL: http://svn.apache.org/viewvc?rev=1853691=rev
Log:
Improved: Improve ObjectInputStream class
(OFBIZ-10837)

As reported by FindBugs and Sonar, it's troubling (a Bad practice in Sonar[1],
a code smell in Findbugs[2]) when extending to use the same name than the
extended Object

[1] 
https://sbforge.org/sonar/rules/show/findbugs:NM_SAME_SIMPLE_NAME_AS_SUPERCLASS?layout=false
[2] https://logging.apache.org/log4j/log4j-2.2/log4j-jul/findbugs.html

Added:
 
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
   (with props)
Removed:
 
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/ObjectInputStream.java
Modified:
 
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java

Added: 
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
URL: 
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java?rev=1853691=auto
==
--- 
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
 (added)
+++ 
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
 Sat Feb 16 09:42:03 2019
@@ -0,0 +1,86 @@
+/***
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ 
***/
+package org.apache.ofbiz.base.util;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectStreamClass;
+import java.lang.reflect.Proxy;
+import java.util.List;
+import java.util.regex.Pattern;
+
+/**
+ * ObjectInputStream
+ *
+ */
+public class SafeObjectInputStream extends java.io.ObjectInputStream 
implements AutoCloseable {
+
+private ClassLoader classloader;
+private Pattern WHITELIST_PATTERN = null;
+
+public SafeObjectInputStream(InputStream in, ClassLoader loader) throws 
IOException {
+super(in);
+this.classloader = loader;
+}
+
+public SafeObjectInputStream(InputStream in, ClassLoader loader, 
List whitelist) throws IOException {
+super(in);
+this.classloader = loader;
+StringBuilder bld = new StringBuilder("(");
+for (int i = 0; i < whitelist.size(); i++) {
+bld.append(whitelist.get(i));
+if (i != whitelist.size() - 1) {
+bld.append("|");
+}
+}
+bld.append(")");
+WHITELIST_PATTERN = Pattern.compile(bld.toString());
+}
+
+
+/**
+ * @see java.io.ObjectInputStream#resolveClass(java.io.ObjectStreamClass)
+ */
+@Override
+protected Class resolveClass(ObjectStreamClass classDesc) throws 
IOException, ClassNotFoundException {
+if (!WHITELIST_PATTERN.matcher(classDesc.getName()).find()) {
+throw new ClassCastException("Incompatible class: " + 
classDesc.getName());
+}
+
+return ObjectType.loadClass(classDesc.getName(), classloader);
+}
+
+/**
+ * @see java.io.ObjectInputStream#resolveProxyClass(java.lang.String[])
+ */
+@Override
+protected Class resolveProxyClass(String[] interfaces) throws 
IOException, ClassNotFoundException {
+Class[] cinterfaces = new Class[interfaces.length];
+for (int i = 0; i < interfaces.length; i++) {
+cinterfaces[i] = classloader.loadClass(interfaces[i]);
+}
+
+try {
+return Proxy.getProxyClass(classloader, cinterfaces);
+} catch (IllegalArgumentException e) {
+throw new ClassNotFoundException(null, e);
+}
+
+}
+}

Propchange: