[jira] [Updated] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized
[
https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bertrand Delacretaz updated IO-487:
---
Attachment: IO-487-accept-reject-2.patch
Here's an updated {{IO-487-accept-reject-2.patch}} that adds a protected
{{invalidClassNameFound}} method to {{ValidatingObjectInputStream}}, as
suggested by [~ebourg]. That method could be overridden to log invalid classes
instead of failing, and it also includes the comment about not logging the
invalid class name.
Do you guys think this can be committed? I guess what's important is to agree
on the API-like elements which are only the {{ClassNameMatcher}} interface and
the public/protected methods of {{ValidatingObjectInputStream}}.
> SafeObjectInputStream contribution - restrict which classes can be
> deserialized
> ---
>
> Key: IO-487
> URL: https://issues.apache.org/jira/browse/IO-487
> Project: Commons IO
> Issue Type: Improvement
> Components: Utilities
>Affects Versions: 2.4
>Reporter: Bertrand Delacretaz
>Priority: Minor
> Labels: patch
> Fix For: 2.5
>
> Attachments: IO-487-2.patch, IO-487-accept-reject-2.patch,
> IO-487-accept-reject.patch, IO-487-matchers.patch,
> IO-487-name-regex-acceptor.patch, IO-487.patch, IO-487.patch, IO-487.patch,
> IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch
>
>
> As discussed on the commons dev list I'd like to contribute my SLING-5288
> code to commons-io. I'll attach a patch.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized
[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adrian Crum updated IO-487: --- Attachment: IO-487.patch Updated patch with Niall's changes. The biggest problem I see with this issue is we have multiple contributers working on different versions of the patches. There needs to be better coordination. > SafeObjectInputStream contribution - restrict which classes can be > deserialized > --- > > Key: IO-487 > URL: https://issues.apache.org/jira/browse/IO-487 > Project: Commons IO > Issue Type: Improvement > Components: Utilities >Affects Versions: 2.4 >Reporter: Bertrand Delacretaz >Priority: Minor > Labels: patch > Fix For: 2.5 > > Attachments: IO-487-2.patch, IO-487-accept-reject.patch, > IO-487-matchers.patch, IO-487-name-regex-acceptor.patch, IO-487.patch, > IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch, > IO-487.patch > > > As discussed on the commons dev list I'd like to contribute my SLING-5288 > code to commons-io. I'll attach a patch. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized
[
https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bertrand Delacretaz updated IO-487:
---
Attachment: IO-487-accept-reject.patch
Here's IO-487-accept-reject.patch with the suggested accept/reject syntax.
{{ValidatingObjectInputStreamTest}} has a number of examples.
> SafeObjectInputStream contribution - restrict which classes can be
> deserialized
> ---
>
> Key: IO-487
> URL: https://issues.apache.org/jira/browse/IO-487
> Project: Commons IO
> Issue Type: Improvement
> Components: Utilities
>Affects Versions: 2.4
>Reporter: Bertrand Delacretaz
>Priority: Minor
> Labels: patch
> Fix For: 2.5
>
> Attachments: IO-487-2.patch, IO-487-accept-reject.patch,
> IO-487-matchers.patch, IO-487-name-regex-acceptor.patch, IO-487.patch,
> IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch
>
>
> As discussed on the commons dev list I'd like to contribute my SLING-5288
> code to commons-io. I'll attach a patch.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized
[
https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bertrand Delacretaz updated IO-487:
---
Attachment: IO-487-matchers.patch
Based on all those great ideas, here's a variant (IO-487-matchers.patch) that I
find simpler and more foolproof to use, the single-class setup code is now
{code}
ObjectInputStream ois =
new ValidatingObjectInputStream(is)
.withWhitelist(new FullClassNameMatcher(MyClass.class.getName()))
{code}
And allowing a full package except for a specific class would be
{code}
ObjectInputStream ois =
new ValidatingObjectInputStream(is)
.withWhitelist(new RegexClassNameMatcher("com\\.example\\.foo.*"),
.withBlacklist(com.example.foo.SomeBadClass.class.getName())
{code}
Someone said they prefer include/exclude instead of black/whitelists. I don't
mind, it's just that the latter are common terms in security discussions.
> SafeObjectInputStream contribution - restrict which classes can be
> deserialized
> ---
>
> Key: IO-487
> URL: https://issues.apache.org/jira/browse/IO-487
> Project: Commons IO
> Issue Type: Improvement
> Components: Utilities
>Affects Versions: 2.4
>Reporter: Bertrand Delacretaz
>Priority: Minor
> Labels: patch
> Fix For: 2.5
>
> Attachments: IO-487-2.patch, IO-487-matchers.patch,
> IO-487-name-regex-acceptor.patch, IO-487.patch, IO-487.patch, IO-487.patch,
> IO-487.patch, IO-487.patch, IO-487.patch
>
>
> As discussed on the commons dev list I'd like to contribute my SLING-5288
> code to commons-io. I'll attach a patch.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized
[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Niall Pemberton updated IO-487: --- Attachment: IO-487-name-regex-acceptor.patch An alternative would be for single RegexClassAcceptor & NameClassAcceptor implementations that do both include & exclude. Attaching patch containing implementations. > SafeObjectInputStream contribution - restrict which classes can be > deserialized > --- > > Key: IO-487 > URL: https://issues.apache.org/jira/browse/IO-487 > Project: Commons IO > Issue Type: Improvement > Components: Utilities >Affects Versions: 2.4 >Reporter: Bertrand Delacretaz >Priority: Minor > Labels: patch > Fix For: 2.5 > > Attachments: IO-487-name-regex-acceptor.patch, IO-487.patch, > IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch > > > As discussed on the commons dev list I'd like to contribute my SLING-5288 > code to commons-io. I'll attach a patch. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized
[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adrian Crum updated IO-487: --- Attachment: IO-487.patch Latest patch with the new class names. I'm still working on the unit tests. I can't get Cobertura to work with maven, so I'm trying to get it to work with ant. > SafeObjectInputStream contribution - restrict which classes can be > deserialized > --- > > Key: IO-487 > URL: https://issues.apache.org/jira/browse/IO-487 > Project: Commons IO > Issue Type: Improvement > Components: Utilities >Affects Versions: 2.4 >Reporter: Bertrand Delacretaz >Priority: Minor > Labels: patch > Fix For: 2.5 > > Attachments: IO-487-name-regex-acceptor.patch, IO-487.patch, > IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch > > > As discussed on the commons dev list I'd like to contribute my SLING-5288 > code to commons-io. I'll attach a patch. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized
[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Niall Pemberton updated IO-487: --- Attachment: IO-487-2.patch Attaching IO-487-2.patch which includes the following: * Change the ClassAcceptor's accept() method to return a boolean * RegexpClassAcceptor (in place of WhiteRegexpClassAcceptor & BlackRegexpClassAcceptor) * NameClassAcceptor (in place of WhitelistClassAcceptor & BlacklistClassAcceptor) * add NotClassAcceptor (to provide blacklist/exclusion functionality of above implementations) > SafeObjectInputStream contribution - restrict which classes can be > deserialized > --- > > Key: IO-487 > URL: https://issues.apache.org/jira/browse/IO-487 > Project: Commons IO > Issue Type: Improvement > Components: Utilities >Affects Versions: 2.4 >Reporter: Bertrand Delacretaz >Priority: Minor > Labels: patch > Fix For: 2.5 > > Attachments: IO-487-2.patch, IO-487-name-regex-acceptor.patch, > IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch, > IO-487.patch > > > As discussed on the commons dev list I'd like to contribute my SLING-5288 > code to commons-io. I'll attach a patch. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized
[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bertrand Delacretaz updated IO-487: --- Attachment: IO-487.patch > SafeObjectInputStream contribution - restrict which classes can be > deserialized > --- > > Key: IO-487 > URL: https://issues.apache.org/jira/browse/IO-487 > Project: Commons IO > Issue Type: Improvement > Components: Utilities >Affects Versions: 2.4 >Reporter: Bertrand Delacretaz >Priority: Minor > Labels: patch > Fix For: 2.5 > > Attachments: IO-487.patch > > > As discussed on the commons dev list I'd like to contribute my SLING-5288 > code to commons-io. I'll attach a patch. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized
[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adrian Crum updated IO-487: --- Attachment: IO-487.patch Improved patch attached. Added missing @Overrides, added missing JavaDocs, added more ClassAcceptor implementations, added thread safety. > SafeObjectInputStream contribution - restrict which classes can be > deserialized > --- > > Key: IO-487 > URL: https://issues.apache.org/jira/browse/IO-487 > Project: Commons IO > Issue Type: Improvement > Components: Utilities >Affects Versions: 2.4 >Reporter: Bertrand Delacretaz >Priority: Minor > Labels: patch > Fix For: 2.5 > > Attachments: IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch > > > As discussed on the commons dev list I'd like to contribute my SLING-5288 > code to commons-io. I'll attach a patch. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized
[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bertrand Delacretaz updated IO-487: --- Attachment: IO-487.patch Here's an updated patch that uses UnsupportedOperationException, good idea. A package-based ClassAcceptor sounds like a good idea, don't have time to write this right now. I think RegexpClassAcceptor can be useful for code with a suboptimal package organization, but that could also be made optional and not included in the library, I don't know how much you want to minimize the size of commons-io. > SafeObjectInputStream contribution - restrict which classes can be > deserialized > --- > > Key: IO-487 > URL: https://issues.apache.org/jira/browse/IO-487 > Project: Commons IO > Issue Type: Improvement > Components: Utilities >Affects Versions: 2.4 >Reporter: Bertrand Delacretaz >Priority: Minor > Labels: patch > Fix For: 2.5 > > Attachments: IO-487.patch, IO-487.patch > > > As discussed on the commons dev list I'd like to contribute my SLING-5288 > code to commons-io. I'll attach a patch. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized
[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bertrand Delacretaz updated IO-487: --- Attachment: IO-487.patch Another update...just a comment change. > SafeObjectInputStream contribution - restrict which classes can be > deserialized > --- > > Key: IO-487 > URL: https://issues.apache.org/jira/browse/IO-487 > Project: Commons IO > Issue Type: Improvement > Components: Utilities >Affects Versions: 2.4 >Reporter: Bertrand Delacretaz >Priority: Minor > Labels: patch > Fix For: 2.5 > > Attachments: IO-487.patch, IO-487.patch, IO-487.patch > > > As discussed on the commons dev list I'd like to contribute my SLING-5288 > code to commons-io. I'll attach a patch. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (IO-487) SafeObjectInputStream contribution - restrict which classes can be deserialized
[ https://issues.apache.org/jira/browse/IO-487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adrian Crum updated IO-487: --- Attachment: IO-487.patch Updated patch that includes the suggestions made so far. I think the latest API is flexible and easy to use. > SafeObjectInputStream contribution - restrict which classes can be > deserialized > --- > > Key: IO-487 > URL: https://issues.apache.org/jira/browse/IO-487 > Project: Commons IO > Issue Type: Improvement > Components: Utilities >Affects Versions: 2.4 >Reporter: Bertrand Delacretaz >Priority: Minor > Labels: patch > Fix For: 2.5 > > Attachments: IO-487.patch, IO-487.patch, IO-487.patch, IO-487.patch, > IO-487.patch > > > As discussed on the commons dev list I'd like to contribute my SLING-5288 > code to commons-io. I'll attach a patch. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
