OPENJPA-2617 adding BlacklistClassResolver to support blacklisting of class loading in our ObjectInputStream

git-svn-id: https://svn.apache.org/repos/asf/openjpa/trunk@1716859 13f79535-47bb-0310-9956-ffa450edef68
2025-02-21 01:15:30 +00:00 · 2015-11-27 12:15:47 +00:00 · 2015-11-27 12:15:47 +00:00 · 1dd5571047
commit 1dd5571047
parent ffaa46ef99
3 changed files with 66 additions and 2 deletions
--- a/openjpa-kernel/src/main/java/org/apache/openjpa/util/BlacklistClassResolver.java
+++ b/openjpa-kernel/src/main/java/org/apache/openjpa/util/BlacklistClassResolver.java
@ -0,0 +1,62 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.openjpa.util;
+
+public class BlacklistClassResolver {
+    public static final BlacklistClassResolver DEFAULT = new BlacklistClassResolver(
+        toArray(
+            System.getProperty(
+                "openjpa.serialization.class.blacklist",
+                "org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan")),
+        toArray(System.getProperty("openjpa.serialization.class.whitelist")));
+
+    private final String[] blacklist;
+    private final String[] whitelist;
+
+    protected BlacklistClassResolver(final String[] blacklist, final String[] whitelist) {
+        this.whitelist = whitelist;
+        this.blacklist = blacklist;
+    }
+
+    protected boolean isBlacklisted(final String name) {
+        return !contains(whitelist, name) && contains(blacklist, name);
+    }
+
+    public final String check(final String name) {
+        if (isBlacklisted(name)) {
+            throw new SecurityException(name + " is not whitelisted as deserialisable, prevented before loading.");
+        }
+        return name;
+    }
+
+    private static String[] toArray(final String property) {
+        return property == null ? null : property.split(" *, *");
+    }
+
+    private static boolean contains(final String[] list, String name) {
+        if (list != null) {
+            for (final String white : list) {
+                if (name.startsWith(white)) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+}
--- a/openjpa-kernel/src/main/java/org/apache/openjpa/util/Serialization.java
+++ b/openjpa-kernel/src/main/java/org/apache/openjpa/util/Serialization.java
@ -128,12 +128,13 @@ public class Serialization {

        protected Class resolveClass(ObjectStreamClass desc) 
            throws IOException, ClassNotFoundException {
+            String name = BlacklistClassResolver.DEFAULT.check(desc.getName());
            MultiClassLoader loader = AccessController
                .doPrivileged(J2DoPrivHelper.newMultiClassLoaderAction());
            addContextClassLoaders(loader);
            loader.addClassLoader(getClass().getClassLoader());
            loader.addClassLoader(MultiClassLoader.SYSTEM_LOADER);
-            return Class.forName(desc.getName(), true, loader);
+            return Class.forName(name, true, loader);
        }

        protected void addContextClassLoaders(MultiClassLoader loader) {
--- a/openjpa-persistence/src/main/java/org/apache/openjpa/persistence/EntityManagerImpl.java
+++ b/openjpa-persistence/src/main/java/org/apache/openjpa/persistence/EntityManagerImpl.java
@ -84,6 +84,7 @@ import org.apache.openjpa.persistence.criteria.CriteriaBuilderImpl;
 import org.apache.openjpa.persistence.criteria.OpenJPACriteriaBuilder;
 import org.apache.openjpa.persistence.criteria.OpenJPACriteriaQuery;
 import org.apache.openjpa.persistence.validation.ValidationUtils;
+import org.apache.openjpa.util.BlacklistClassResolver;
 import org.apache.openjpa.util.ExceptionInfo;
 import org.apache.openjpa.util.Exceptions;
 import org.apache.openjpa.util.ImplHelper;
@ -1543,7 +1544,7 @@ public class EntityManagerImpl
        protected Class<?> resolveClass(ObjectStreamClass classDesc)
            throws IOException, ClassNotFoundException {

-            String cname = classDesc.getName();
+            String cname = BlacklistClassResolver.DEFAULT.check(classDesc.getName());
            if (cname.startsWith("[")) {
                // An array
                Class<?> component;		// component class