Package com.luna.common.io

Class ValidateObjectInputStream

java.lang.Object

java.io.InputStream

java.io.ObjectInputStream

com.luna.common.io.ValidateObjectInputStream

All Implemented Interfaces:

Closeable, DataInput, ObjectInput, ObjectStreamConstants, AutoCloseable

public class ValidateObjectInputStream
extends ObjectInputStream

带有类验证的对象流，用于避免反序列化漏洞
详细见：https://xz.aliyun.com/t/41/

Since:

5.2.6

Author:

looly

Nested Class Summary

Nested classes/interfaces inherited from class java.io.ObjectInputStream

ObjectInputStream.GetField

Field Summary

Fields inherited from interface java.io.ObjectStreamConstants

baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, SERIAL_FILTER_PERMISSION, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING

Constructor Summary

Constructors

Constructor	Description
ValidateObjectInputStream(InputStream inputStream, Class<?>... acceptClasses)	构造

Method Summary

Modifier and Type	Method	Description
void	accept(Class<?>... acceptClasses)	接受反序列化的类，用于反序列化验证
void	refuse(Class<?>... refuseClasses)	禁止反序列化的类，用于反序列化验证
protected Class<?>	resolveClass(ObjectStreamClass desc)	只允许反序列化SerialObject class

Methods inherited from class java.io.ObjectInputStream

available, close, defaultReadObject, enableResolveObject, getObjectInputFilter, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, setObjectInputFilter, skipBytes

Methods inherited from class java.io.InputStream

mark, markSupported, nullInputStream, read, readAllBytes, readNBytes, readNBytes, reset, skip, skipNBytes, transferTo

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface java.io.ObjectInput

read, skip

Constructor Details

ValidateObjectInputStream

public ValidateObjectInputStream(InputStream inputStream,
 Class<?>... acceptClasses)
                          throws IOException

构造

Parameters:

inputStream - 流

acceptClasses - 白名单的类

Throws:

IOException - IO异常

Method Details

refuse

public void refuse(Class<?>... refuseClasses)

禁止反序列化的类，用于反序列化验证

Parameters:

refuseClasses - 禁止反序列化的类

Since:

5.3.5

accept

public void accept(Class<?>... acceptClasses)

接受反序列化的类，用于反序列化验证

Parameters:

acceptClasses - 接受反序列化的类

resolveClass

protected Class<?> resolveClass(ObjectStreamClass desc)
                         throws IOException,
ClassNotFoundException

只允许反序列化SerialObject class

Overrides:

resolveClass in class ObjectInputStream

Throws:

IOException

ClassNotFoundException