HTTPCLIENT-2023: Allow nested arrays and all primitive types in DefaultHttpCacheEntrySerializer
This commit is contained in:
Olof Larsson
Oleg Kalnichevski
parent
d62616bb29
commit
e1f48e788d
|
|
@ -55,24 +55,8 @@ import org.apache.hc.core5.annotation.ThreadingBehavior;
|
|||
@Contract(threading = ThreadingBehavior.STATELESS)
|
||||
public final class ByteArrayCacheEntrySerializer implements HttpCacheEntrySerializer<byte[]> {
|
||||
|
||||
private static final List<Pattern> ALLOWED_CLASS_PATTERNS = Collections.unmodifiableList(Arrays.asList(
|
||||
Pattern.compile("^(\\[L)?org\\.apache\\.hc\\.(.*)"),
|
||||
Pattern.compile("^(\\[L)?java\\.util\\.(.*)"),
|
||||
Pattern.compile("^(\\[L)?java\\.lang\\.(.*)$"),
|
||||
Pattern.compile("^\\[B$")));
|
||||
|
||||
public static final ByteArrayCacheEntrySerializer INSTANCE = new ByteArrayCacheEntrySerializer();
|
||||
|
||||
private final List<Pattern> allowedClassPatterns;
|
||||
|
||||
ByteArrayCacheEntrySerializer(final Pattern... allowedClassPatterns) {
|
||||
this.allowedClassPatterns = Collections.unmodifiableList(Arrays.asList(allowedClassPatterns));
|
||||
}
|
||||
|
||||
public ByteArrayCacheEntrySerializer() {
|
||||
this.allowedClassPatterns = ALLOWED_CLASS_PATTERNS;
|
||||
}
|
||||
|
||||
@Override
|
||||
public byte[] serialize(final HttpCacheStorageEntry cacheEntry) throws ResourceIOException {
|
||||
if (cacheEntry == null) {
|
||||
|
|
@ -92,42 +76,54 @@ public final class ByteArrayCacheEntrySerializer implements HttpCacheEntrySerial
|
|||
if (serializedObject == null) {
|
||||
return null;
|
||||
}
|
||||
try (final ObjectInputStream ois = new RestrictedObjectInputStream(
|
||||
new ByteArrayInputStream(serializedObject), allowedClassPatterns)) {
|
||||
try (final ObjectInputStream ois = new RestrictedObjectInputStream(new ByteArrayInputStream(serializedObject))) {
|
||||
return (HttpCacheStorageEntry) ois.readObject();
|
||||
} catch (final IOException | ClassNotFoundException ex) {
|
||||
throw new ResourceIOException(ex.getMessage(), ex);
|
||||
}
|
||||
}
|
||||
|
||||
private static class RestrictedObjectInputStream extends ObjectInputStream {
|
||||
// visible for testing
|
||||
static class RestrictedObjectInputStream extends ObjectInputStream {
|
||||
|
||||
private final List<Pattern> allowedClassPatterns;
|
||||
private static final List<Pattern> ALLOWED_CLASS_PATTERNS = Collections.unmodifiableList(Arrays.asList(
|
||||
Pattern.compile("^(\\[L)?org\\.apache\\.hc\\.(.*)"),
|
||||
Pattern.compile("^(?:\\[+L)?java\\.util\\..*$"),
|
||||
Pattern.compile("^(?:\\[+L)?java\\.lang\\..*$"),
|
||||
Pattern.compile("^\\[+Z$"), // boolean
|
||||
Pattern.compile("^\\[+B$"), // byte
|
||||
Pattern.compile("^\\[+C$"), // char
|
||||
Pattern.compile("^\\[+D$"), // double
|
||||
Pattern.compile("^\\[+F$"), // float
|
||||
Pattern.compile("^\\[+I$"), // int
|
||||
Pattern.compile("^\\[+J$"), // long
|
||||
Pattern.compile("^\\[+S$") // short
|
||||
));
|
||||
|
||||
private RestrictedObjectInputStream(final InputStream in, final List<Pattern> patterns) throws IOException {
|
||||
private RestrictedObjectInputStream(final InputStream in) throws IOException {
|
||||
super(in);
|
||||
this.allowedClassPatterns = patterns;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected Class<?> resolveClass(final ObjectStreamClass desc) throws IOException, ClassNotFoundException {
|
||||
if (isProhibited(desc)) {
|
||||
protected Class<?> resolveClass(final ObjectStreamClass objectStreamClass) throws IOException, ClassNotFoundException {
|
||||
final String className = objectStreamClass.getName();
|
||||
if (!isAllowedClassName(className)) {
|
||||
throw new ResourceIOException(String.format(
|
||||
"Class %s is not allowed for deserialization", desc.getName()));
|
||||
"Class %s is not allowed for deserialization", objectStreamClass.getName()));
|
||||
}
|
||||
return super.resolveClass(desc);
|
||||
return super.resolveClass(objectStreamClass);
|
||||
}
|
||||
|
||||
private boolean isProhibited(final ObjectStreamClass desc) {
|
||||
if (allowedClassPatterns != null) {
|
||||
for (final Pattern pattern : allowedClassPatterns) {
|
||||
if (pattern.matcher(desc.getName()).matches()) {
|
||||
return false;
|
||||
}
|
||||
// visible for testing
|
||||
static boolean isAllowedClassName(final String className) {
|
||||
for (final Pattern allowedClassPattern : ALLOWED_CLASS_PATTERNS) {
|
||||
if (allowedClassPattern.matcher(className).matches()) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return true;
|
||||
return false;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -27,23 +27,25 @@
|
|||
package org.apache.hc.client5.http.impl.cache;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertFalse;
|
||||
import static org.junit.Assert.assertThat;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
|
||||
import java.io.ByteArrayOutputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.ObjectOutputStream;
|
||||
import java.nio.charset.Charset;
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import java.util.Date;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import org.apache.hc.client5.http.cache.HttpCacheEntry;
|
||||
import org.apache.hc.client5.http.cache.HttpCacheStorageEntry;
|
||||
import org.apache.hc.client5.http.cache.ResourceIOException;
|
||||
import org.apache.hc.client5.http.cache.Resource;
|
||||
import org.apache.hc.core5.http.Header;
|
||||
import org.apache.hc.core5.http.HttpStatus;
|
||||
import org.apache.hc.core5.http.message.BasicHeader;
|
||||
import org.apache.hc.core5.http.message.StatusLine;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
|
||||
|
|
@ -51,8 +53,6 @@ import com.sun.rowset.JdbcRowSetImpl;
|
|||
|
||||
public class TestByteArrayCacheEntrySerializer {
|
||||
|
||||
private static final Charset UTF8 = Charset.forName("UTF-8");
|
||||
|
||||
private ByteArrayCacheEntrySerializer impl;
|
||||
|
||||
@Before
|
||||
|
|
@ -62,28 +62,180 @@ public class TestByteArrayCacheEntrySerializer {
|
|||
|
||||
@Test
|
||||
public void canSerializeEntriesWithVariantMaps() throws Exception {
|
||||
readWriteVerify(makeCacheEntryWithVariantMap("key"));
|
||||
readWriteVerify(makeCacheEntryWithVariantMap("somekey"));
|
||||
}
|
||||
|
||||
@Test(expected = ResourceIOException.class)
|
||||
public void throwExceptionIfUnsafeDeserialization() throws IOException {
|
||||
impl.deserialize(serializeProhibitedObject());
|
||||
@Test
|
||||
public void isAllowedClassNameStringTrue() {
|
||||
assertIsAllowedClassNameTrue(String.class.getName());
|
||||
}
|
||||
|
||||
@Test(expected = ResourceIOException.class)
|
||||
public void allowClassesToBeDeserialized() throws IOException {
|
||||
impl = new ByteArrayCacheEntrySerializer(
|
||||
Pattern.compile("javax.sql.rowset.BaseRowSet"),
|
||||
Pattern.compile("com.sun.rowset.JdbcRowSetImpl"));
|
||||
impl.deserialize(serializeProhibitedObject());
|
||||
@Test
|
||||
public void isAllowedClassNameStringArrayTrue() {
|
||||
assertIsAllowedClassNameTrue("[L" + String.class.getName());
|
||||
}
|
||||
|
||||
@Test(expected = ResourceIOException.class)
|
||||
public void allowClassesToBeDeserializedByRegex() throws IOException {
|
||||
impl = new ByteArrayCacheEntrySerializer(
|
||||
Pattern.compile(("^com\\.sun\\.rowset\\.(.*)")),
|
||||
Pattern.compile("^javax\\.sql\\.rowset\\.BaseRowSet$"));
|
||||
impl.deserialize(serializeProhibitedObject());
|
||||
@Test
|
||||
public void isAllowedClassNameStringArrayArrayTrue() {
|
||||
assertIsAllowedClassNameTrue("[[L" + String.class.getName());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameDataTrue() {
|
||||
assertIsAllowedClassNameTrue(Date.class.getName());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameStatusLineTrue() {
|
||||
assertIsAllowedClassNameTrue(StatusLine.class.getName());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameResourceTrue() {
|
||||
assertIsAllowedClassNameTrue(Resource.class.getName());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameByteArrayTrue() {
|
||||
assertIsAllowedClassNameTrue("[B");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameByteArrayArrayTrue() {
|
||||
assertIsAllowedClassNameTrue("[[B");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameCharArrayTrue() {
|
||||
assertIsAllowedClassNameTrue("[C");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameCharArrayArrayTrue() {
|
||||
assertIsAllowedClassNameTrue("[[C");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameDoubleArrayTrue() {
|
||||
assertIsAllowedClassNameTrue("[D");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameDoubleArrayArrayTrue() {
|
||||
assertIsAllowedClassNameTrue("[[D");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameFloatArrayTrue() {
|
||||
assertIsAllowedClassNameTrue("[F");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameFloatArrayArrayTrue() {
|
||||
assertIsAllowedClassNameTrue("[[F");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameIntArrayTrue() {
|
||||
assertIsAllowedClassNameTrue("[I");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameIntArrayArrayTrue() {
|
||||
assertIsAllowedClassNameTrue("[[I");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameLongArrayTrue() {
|
||||
assertIsAllowedClassNameTrue("[J");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameLongArrayArrayTrue() {
|
||||
assertIsAllowedClassNameTrue("[[J");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameShortArrayTrue() {
|
||||
assertIsAllowedClassNameTrue("[S");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameShortArrayArrayTrue() {
|
||||
assertIsAllowedClassNameTrue("[[S");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameCollectionsInvokerTransformerFalse() {
|
||||
assertIsAllowedClassNameFalse("org.apache.commons.collections.functors.InvokerTransformer");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameCollections4InvokerTransformerFalse() {
|
||||
assertIsAllowedClassNameFalse("org.apache.commons.collections4.functors.InvokerTransformer");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameCollectionsInstantiateTransformerFalse() {
|
||||
assertIsAllowedClassNameFalse("org.apache.commons.collections.functors.InstantiateTransformer");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameCollections4InstantiateTransformerFalse() {
|
||||
assertIsAllowedClassNameFalse("org.apache.commons.collections4.functors.InstantiateTransformer");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameGroovyConvertedClosureFalse() {
|
||||
assertIsAllowedClassNameFalse("org.codehaus.groovy.runtime.ConvertedClosure");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameGroovyMethodClosureFalse() {
|
||||
assertIsAllowedClassNameFalse("org.codehaus.groovy.runtime.MethodClosure");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameSpringObjectFactoryFalse() {
|
||||
assertIsAllowedClassNameFalse("org.springframework.beans.factory.ObjectFactory");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameCalanTemplatesImplFalse() {
|
||||
assertIsAllowedClassNameFalse("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameCalanTemplatesImplArrayFalse() {
|
||||
assertIsAllowedClassNameFalse("[Lcom.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameJavaRmiRegistryFalse() {
|
||||
assertIsAllowedClassNameFalse("java.rmi.registry.Registry");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameJavaRmiServerRemoteObjectInvocationHandlerFalse() {
|
||||
assertIsAllowedClassNameFalse("java.rmi.server.RemoteObjectInvocationHandler");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameJavaxXmlTransformTemplatesFalse() {
|
||||
assertIsAllowedClassNameFalse("javax.xml.transform.Templates");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void isAllowedClassNameJavaxManagementMBeanServerInvocationHandlerFalse() {
|
||||
assertIsAllowedClassNameFalse("javax.management.MBeanServerInvocationHandler");
|
||||
}
|
||||
|
||||
private static void assertIsAllowedClassNameTrue(final String className) {
|
||||
assertTrue(ByteArrayCacheEntrySerializer.RestrictedObjectInputStream.isAllowedClassName(className));
|
||||
}
|
||||
|
||||
private static void assertIsAllowedClassNameFalse(final String className) {
|
||||
assertFalse(ByteArrayCacheEntrySerializer.RestrictedObjectInputStream.isAllowedClassName(className));
|
||||
}
|
||||
|
||||
private byte[] serializeProhibitedObject() throws IOException {
|
||||
|
|
@ -123,7 +275,7 @@ public class TestByteArrayCacheEntrySerializer {
|
|||
new Date(),
|
||||
HttpStatus.SC_OK,
|
||||
headers,
|
||||
new HeapResource(body.getBytes(UTF8)), variantMap);
|
||||
new HeapResource(body.getBytes(StandardCharsets.UTF_8)), variantMap);
|
||||
|
||||
return new HttpCacheStorageEntry(key, cacheEntry);
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue