Class ExpectedObjectInputStream

java.lang.Object

java.io.InputStream

java.io.ObjectInputStream

org.owasp.dependencycheck.utils.ExpectedObjectInputStream

All Implemented Interfaces:

Closeable, DataInput, ObjectInput, ObjectStreamConstants, AutoCloseable

public class ExpectedObjectInputStream
extends ObjectInputStream

An ObjectInputStream that will only deserialize expected classes.

Version:

$Id: $Id

Author:

Jeremy Long

Nested Class Summary

Nested classes/interfaces inherited from class ObjectInputStream

ObjectInputStream.GetField

Field Summary

Fields inherited from interface ObjectStreamConstants

baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, SERIAL_FILTER_PERMISSION, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING

Constructor Summary

Constructors

Constructor	Description
ExpectedObjectInputStream(InputStream inputStream, String... expected)	Constructs a new ExpectedOjectInputStream that can be used to securely deserialize an object by restricting the classes that can deserialized to a known set of expected classes.

Method Summary

Modifier and Type	Method	Description
protected Class<?>	resolveClass(ObjectStreamClass desc)	Only deserialize instances of expected classes by validating the class name prior to deserialization.

Methods inherited from class ObjectInputStream

available, close, defaultReadObject, enableResolveObject, getObjectInputFilter, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, setObjectInputFilter, skipBytes

Methods inherited from class InputStream

mark, markSupported, nullInputStream, read, readAllBytes, readNBytes, readNBytes, reset, skip, transferTo

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface ObjectInput

read, skip

Constructor Details

ExpectedObjectInputStream

public ExpectedObjectInputStream(InputStream inputStream,
 String... expected)
                          throws IOException

Constructs a new ExpectedOjectInputStream that can be used to securely deserialize an object by restricting the classes that can deserialized to a known set of expected classes.

Parameters:

inputStream - the input stream that contains the object to deserialize

expected - the fully qualified class names of the classes that can be deserialized

Throws:

IOException - thrown if there is an error reading from the stream

Method Details

resolveClass

protected Class<?> resolveClass(ObjectStreamClass desc)
                         throws IOException,
ClassNotFoundException

Only deserialize instances of expected classes by validating the class name prior to deserialization.

Overrides:

resolveClass in class ObjectInputStream

Throws:

IOException

ClassNotFoundException