On Mon, 31 May 2021 15:44:06 GMT, Roger Riggs <rri...@openjdk.org> wrote:
>> JEP 415: Context-specific Deserialization Filters extends the >> deserialization filtering mechanisms with more flexible and customizable >> protections against malicious deserialization. See JEP 415: >> https://openjdk.java.net/jeps/415. >> The `java.io.ObjectInputFilter` and `java.io.ObjectInputStream` classes are >> extended with additional >> configuration mechanisms and filter utilities. >> >> javadoc for `ObjectInputFilter`, `ObjectInputFilter.Config`, and >> `ObjectInputStream`: >> >> http://cr.openjdk.java.net/~rriggs/filter-factory/java.base/java/io/ObjectInputFilter.html > > Roger Riggs has updated the pull request with a new target base due to a > merge or a rebase. The incremental webrev excludes the unrelated changes > brought in by the merge/rebase. The pull request contains 15 additional > commits since the last revision: > > - Added protections to aid in auditing of filter and filter factory to > ensure effective filtering and compatibility with previous releases. > Fixed a bug in allow/rejectFilter() > Cleanup of error stages and messages related setting filter factory > with Config.setSerialFilterFactory. > Updated tests to match. > - Merge branch 'master' into 8264859-context-filter-factory > - Merge branch 'master' into 8264859-context-filter-factory > - Added test for rejectUndecidedClass array cases > Added test for preventing disabling filter factory > Test cleanup > - Editorial updates to review comments. > Simplify the builtin filter factory implementation. > Add atomic update to setting the filter factory. > Clarify the description of OIS.setObjectInputFilter. > Cleanup of the example code. > - Editorial updates > Updated java.security properties to include jdk.serialFilterFactory > Added test cases to SerialFilterFactoryTest for java.security properties > and > enabling of the SecurityManager with existing policy permission files > Corrected a test that OIS.setObjectInputFilter could not be called twice. > Removed a Factory test that was not intended to be committed > - Moved utility filter methods to be static on ObjectInputFilter > Rearranged the class javadoc of OIF to describe the parts of > deserialization filtering, filters, composite filters, and the filter > factory. > And other review comment updates... > - Refactored tests for utility functions to SerialFilterFunctionTest.java > Deleted confused Config.allowMaxLimits() method > Updated example to match move of methods to Config > Added test of restriction on setting the filterfactory after a OIS has > been created > Additional Editorial updates > - Move merge and rejectUndecidedClass methods to OIF.Config > As default methods on OIF, their implementations were not concrete and not > trustable > - Review suggestions included; > Added @implSpec for default methods in OIF; > Added restriction that the filter factory cannot be set after an > ObjectInputStream has been created and applied the current filter factory > - ... and 5 more: > https://git.openjdk.java.net/jdk/compare/c4cf067d...6d07298f Marked as reviewed by dfuchs (Reviewer). src/java.base/share/classes/java/io/ObjectInputFilter.java line 601: > 599: * @see Config#setSerialFilterFactory(BinaryOperator) > 600: */ > 601: private static final AtomicBoolean filterFactoryNoReplace = new > AtomicBoolean(false); Nit: This could simply be `new AtomicBoolean()`; IIRC it saves a volatile write. ------------- PR: https://git.openjdk.java.net/jdk/pull/3996
