org.apache.commons.io.serialization.ValidatingObjectInputStream.java Source code

Java tutorial

Introduction

Here is the source code for org.apache.commons.io.serialization.ValidatingObjectInputStream.java

Source

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */
package org.apache.commons.io.serialization;

import java.io.IOException;
import java.io.InputStream;
import java.io.InvalidClassException;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Pattern;

/**
 * An <code>ObjectInputStream</code> that's restricted to deserialize
 * a limited set of classes.
 *
 * <p>
 * Various accept/reject methods allow for specifying which classes
 * can be deserialized.
 * </p>
 * 
 * <p>
 * Design inspired by <a
 * href="http://www.ibm.com/developerworks/library/se-lookahead/">IBM
 * DeveloperWorks Article</a>.
 * </p>
 */
public class ValidatingObjectInputStream extends ObjectInputStream {
    private final List<ClassNameMatcher> acceptMatchers = new ArrayList<>();
    private final List<ClassNameMatcher> rejectMatchers = new ArrayList<>();

    /**
     * Constructs an object to deserialize the specified input stream.
     * At least one accept method needs to be called to specify which
     * classes can be deserialized, as by default no classes are 
     * accepted. 
     * 
     * @param input an input stream
     * @throws IOException if an I/O error occurs while reading stream header
     */
    public ValidatingObjectInputStream(InputStream input) throws IOException {
        super(input);
    }

    /** Check that the classname conforms to requirements.
     * @param name The class name
     * @throws InvalidClassException when a non-accepted class is encountered
     */
    private void validateClassName(String name) throws InvalidClassException {
        // Reject has precedence over accept
        for (ClassNameMatcher m : rejectMatchers) {
            if (m.matches(name)) {
                invalidClassNameFound(name);
            }
        }

        boolean ok = false;
        for (ClassNameMatcher m : acceptMatchers) {
            if (m.matches(name)) {
                ok = true;
                break;
            }
        }
        if (!ok) {
            invalidClassNameFound(name);
        }
    }

    /**
     * Called to throw <code>InvalidClassException</code> if an invalid
     * class name is found during deserialization. Can be overridden, for example
     * to log those class names.
     *  
     * @param className name of the invalid class 
     * @throws InvalidClassException if the specified class is not allowed
     */
    protected void invalidClassNameFound(String className) throws InvalidClassException {
        throw new InvalidClassException("Class name not accepted: " + className);
    }

    @Override
    protected Class<?> resolveClass(ObjectStreamClass osc) throws IOException, ClassNotFoundException {
        validateClassName(osc.getName());
        return super.resolveClass(osc);
    }

    /**
     * Accept the specified classes for deserialization, unless they 
     * are otherwise rejected.
     * 
     * @param classes Classes to accept
     * @return this object
     */
    public ValidatingObjectInputStream accept(Class<?>... classes) {
        for (Class<?> c : classes) {
            acceptMatchers.add(new FullClassNameMatcher(c.getName()));
        }
        return this;
    }

    /**
     * Reject the specified classes for deserialization, even if they 
     * are otherwise accepted.
     * 
     * @param classes Classes to reject
     * @return this object
     */
    public ValidatingObjectInputStream reject(Class<?>... classes) {
        for (Class<?> c : classes) {
            rejectMatchers.add(new FullClassNameMatcher(c.getName()));
        }
        return this;
    }

    /**
     * Accept the wildcard specified classes for deserialization,
     * unless they are otherwise rejected.
     *
     * @param patterns Wildcard filename patterns as defined by
     *                  {@link org.apache.commons.io.FilenameUtils#wildcardMatch(String, String) FilenameUtils.wildcardMatch}
     * @return this object
     */
    public ValidatingObjectInputStream accept(String... patterns) {
        for (String pattern : patterns) {
            acceptMatchers.add(new WildcardClassNameMatcher(pattern));
        }
        return this;
    }

    /**
     * Reject the wildcard specified classes for deserialization, 
     * even if they are otherwise accepted.
     * 
     * @param patterns Wildcard filename patterns as defined by
     *                  {@link org.apache.commons.io.FilenameUtils#wildcardMatch(String, String) FilenameUtils.wildcardMatch}
     * @return this object
     */
    public ValidatingObjectInputStream reject(String... patterns) {
        for (String pattern : patterns) {
            rejectMatchers.add(new WildcardClassNameMatcher(pattern));
        }
        return this;
    }

    /** 
     * Accept class names that match the supplied pattern for
     * deserialization, unless they are otherwise rejected.
     * 
     * @param pattern standard Java regexp
     * @return this object
     */
    public ValidatingObjectInputStream accept(Pattern pattern) {
        acceptMatchers.add(new RegexpClassNameMatcher(pattern));
        return this;
    }

    /**
     * Reject class names that match the supplied pattern for
     * deserialization, even if they are otherwise accepted.
     * 
     * @param pattern standard Java regexp
     * @return this object
     */
    public ValidatingObjectInputStream reject(Pattern pattern) {
        rejectMatchers.add(new RegexpClassNameMatcher(pattern));
        return this;
    }

    /**
     * Accept class names where the supplied ClassNameMatcher matches for
     * deserialization, unless they are otherwise rejected.
     * 
     * @param m the matcher to use
     * @return this object
     */
    public ValidatingObjectInputStream accept(ClassNameMatcher m) {
        acceptMatchers.add(m);
        return this;
    }

    /**
     * Reject class names where the supplied ClassNameMatcher matches for
     * deserialization, even if they are otherwise accepted.
     * 
     * @param m the matcher to use
     * @return this object
     */
    public ValidatingObjectInputStream reject(ClassNameMatcher m) {
        rejectMatchers.add(m);
        return this;
    }
}