org.owasp.dependencycheck.utils

Class ExpectedOjectInputStream

java.lang.Object

java.io.InputStream

java.io.ObjectInputStream

org.owasp.dependencycheck.utils.ExpectedOjectInputStream

All Implemented Interfaces:

Closeable, DataInput, ObjectInput, ObjectStreamConstants, AutoCloseable

public class ExpectedOjectInputStream
extends ObjectInputStream

An ObjectInputStream that will only deserialize expected classes.

Author:

Jeremy Long

Nested Class Summary

Nested classes/interfaces inherited from class java.io.ObjectInputStream

ObjectInputStream.GetField

Field Summary

Fields inherited from interface java.io.ObjectStreamConstants

baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING

Constructor Summary

Constructors

Constructor and Description
ExpectedOjectInputStream(InputStream inputStream, String... expected) Constructs a new ExpectedOjectInputStream that can be used to securely deserialize an object by restricting the classes that can deserialized to a known set of expected classes.

Method Summary

Modifier and Type	Method and Description
protected Class<?>	resolveClass(ObjectStreamClass desc) Only deserialize instances of expected classes by validating the class name prior to deserialization.

Methods inherited from class java.io.ObjectInputStream

available, close, defaultReadObject, enableResolveObject, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, skipBytes

Methods inherited from class java.io.InputStream

mark, markSupported, read, reset, skip

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface java.io.ObjectInput

read, skip

Constructor Detail

ExpectedOjectInputStream

public ExpectedOjectInputStream(InputStream inputStream,
                                String... expected)
                         throws IOException

Constructs a new ExpectedOjectInputStream that can be used to securely deserialize an object by restricting the classes that can deserialized to a known set of expected classes.

Parameters:

inputStream - the input stream that contains the object to deserialize

expected - the fully qualified class names of the classes that can be deserialized

Throws:

IOException - thrown if there is an error reading from the stream

Method Detail

resolveClass

protected Class<?> resolveClass(ObjectStreamClass desc)
                         throws IOException,
                                ClassNotFoundException

Only deserialize instances of expected classes by validating the class name prior to deserialization.

Overrides:

resolveClass in class ObjectInputStream

Parameters:

desc - the class from the object stream to validate

Returns:

the resolved class

Throws:

IOException - thrown if the class being read is not one of the expected classes or if there is an error reading from the stream

ClassNotFoundException - thrown if there is an error finding the class to deserialize