Author: rmannibucau Date: Fri Nov 27 12:15:47 2015 New Revision: 1716859 URL: http://svn.apache.org/viewvc?rev=1716859&view=rev Log: OPENJPA-2617 adding BlacklistClassResolver to support blacklisting of class loading in our ObjectInputStream
Added: openjpa/trunk/openjpa-kernel/src/main/java/org/apache/openjpa/util/BlacklistClassResolver.java Modified: openjpa/trunk/openjpa-kernel/src/main/java/org/apache/openjpa/util/Serialization.java openjpa/trunk/openjpa-persistence/src/main/java/org/apache/openjpa/persistence/EntityManagerImpl.java Added: openjpa/trunk/openjpa-kernel/src/main/java/org/apache/openjpa/util/BlacklistClassResolver.java URL: http://svn.apache.org/viewvc/openjpa/trunk/openjpa-kernel/src/main/java/org/apache/openjpa/util/BlacklistClassResolver.java?rev=1716859&view=auto ============================================================================== --- openjpa/trunk/openjpa-kernel/src/main/java/org/apache/openjpa/util/BlacklistClassResolver.java (added) +++ openjpa/trunk/openjpa-kernel/src/main/java/org/apache/openjpa/util/BlacklistClassResolver.java Fri Nov 27 12:15:47 2015 @@ -0,0 +1,62 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.openjpa.util; + +public class BlacklistClassResolver { + public static final BlacklistClassResolver DEFAULT = new BlacklistClassResolver( + toArray( + System.getProperty( + "openjpa.serialization.class.blacklist", + "org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan")), + toArray(System.getProperty("openjpa.serialization.class.whitelist"))); + + private final String[] blacklist; + private final String[] whitelist; + + protected BlacklistClassResolver(final String[] blacklist, final String[] whitelist) { + this.whitelist = whitelist; + this.blacklist = blacklist; + } + + protected boolean isBlacklisted(final String name) { + return !contains(whitelist, name) && contains(blacklist, name); + } + + public final String check(final String name) { + if (isBlacklisted(name)) { + throw new SecurityException(name + " is not whitelisted as deserialisable, prevented before loading."); + } + return name; + } + + private static String[] toArray(final String property) { + return property == null ? null : property.split(" *, *"); + } + + private static boolean contains(final String[] list, String name) { + if (list != null) { + for (final String white : list) { + if (name.startsWith(white)) { + return true; + } + } + } + return false; + } +} Modified: openjpa/trunk/openjpa-kernel/src/main/java/org/apache/openjpa/util/Serialization.java URL: http://svn.apache.org/viewvc/openjpa/trunk/openjpa-kernel/src/main/java/org/apache/openjpa/util/Serialization.java?rev=1716859&r1=1716858&r2=1716859&view=diff ============================================================================== --- openjpa/trunk/openjpa-kernel/src/main/java/org/apache/openjpa/util/Serialization.java (original) +++ openjpa/trunk/openjpa-kernel/src/main/java/org/apache/openjpa/util/Serialization.java Fri Nov 27 12:15:47 2015 @@ -128,12 +128,13 @@ public class Serialization { protected Class resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException { + String name = BlacklistClassResolver.DEFAULT.check(desc.getName()); MultiClassLoader loader = AccessController .doPrivileged(J2DoPrivHelper.newMultiClassLoaderAction()); addContextClassLoaders(loader); loader.addClassLoader(getClass().getClassLoader()); loader.addClassLoader(MultiClassLoader.SYSTEM_LOADER); - return Class.forName(desc.getName(), true, loader); + return Class.forName(name, true, loader); } protected void addContextClassLoaders(MultiClassLoader loader) { Modified: openjpa/trunk/openjpa-persistence/src/main/java/org/apache/openjpa/persistence/EntityManagerImpl.java URL: http://svn.apache.org/viewvc/openjpa/trunk/openjpa-persistence/src/main/java/org/apache/openjpa/persistence/EntityManagerImpl.java?rev=1716859&r1=1716858&r2=1716859&view=diff ============================================================================== --- openjpa/trunk/openjpa-persistence/src/main/java/org/apache/openjpa/persistence/EntityManagerImpl.java (original) +++ openjpa/trunk/openjpa-persistence/src/main/java/org/apache/openjpa/persistence/EntityManagerImpl.java Fri Nov 27 12:15:47 2015 @@ -84,6 +84,7 @@ import org.apache.openjpa.persistence.cr import org.apache.openjpa.persistence.criteria.OpenJPACriteriaBuilder; import org.apache.openjpa.persistence.criteria.OpenJPACriteriaQuery; import org.apache.openjpa.persistence.validation.ValidationUtils; +import org.apache.openjpa.util.BlacklistClassResolver; import org.apache.openjpa.util.ExceptionInfo; import org.apache.openjpa.util.Exceptions; import org.apache.openjpa.util.ImplHelper; @@ -1543,7 +1544,7 @@ public class EntityManagerImpl protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException { - String cname = classDesc.getName(); + String cname = BlacklistClassResolver.DEFAULT.check(classDesc.getName()); if (cname.startsWith("[")) { // An array Class<?> component; // component class