Package org.owasp.dependencycheck.utils

Class ExpectedObjectInputStream

  • All Implemented Interfaces:
    java.io.Closeable, java.io.DataInput, java.io.ObjectInput, java.io.ObjectStreamConstants, java.lang.AutoCloseable
    public class ExpectedObjectInputStream
extends java.io.ObjectInputStream
    An ObjectInputStream that will only deserialize expected classes.
    Version:
    $Id: $Id
    Author:
    Jeremy Long

    • Nested Class Summary

      • Nested classes/interfaces inherited from class java.io.ObjectInputStream

        java.io.ObjectInputStream.GetField

    • Field Summary

      • Fields inherited from interface java.io.ObjectStreamConstants

        baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, SERIAL_FILTER_PERMISSION, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING

    • Constructor Summary

      Constructors 
      Constructor Description
      ExpectedObjectInputStream​(java.io.InputStream inputStream, java.lang.String... expected)
      Constructs a new ExpectedOjectInputStream that can be used to securely deserialize an object by restricting the classes that can deserialized to a known set of expected classes.

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected java.lang.Class<?> resolveClass​(java.io.ObjectStreamClass desc)
      Only deserialize instances of expected classes by validating the class name prior to deserialization.

      • Methods inherited from class java.io.ObjectInputStream

        available, close, defaultReadObject, enableResolveObject, getObjectInputFilter, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, setObjectInputFilter, skipBytes

      • Methods inherited from class java.io.InputStream

        mark, markSupported, nullInputStream, read, readAllBytes, readNBytes, readNBytes, reset, skip, transferTo

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

      • Methods inherited from interface java.io.ObjectInput

        read, skip

    • Constructor Detail

      • ExpectedObjectInputStream

        public ExpectedObjectInputStream​(java.io.InputStream inputStream,
                                 java.lang.String... expected)
                          throws java.io.IOException
        Constructs a new ExpectedOjectInputStream that can be used to securely deserialize an object by restricting the classes that can deserialized to a known set of expected classes.
        Parameters:
        inputStream - the input stream that contains the object to deserialize
        expected - the fully qualified class names of the classes that can be deserialized
        Throws:
        java.io.IOException - thrown if there is an error reading from the stream

    • Method Detail

      • resolveClass

        protected java.lang.Class<?> resolveClass​(java.io.ObjectStreamClass desc)
                                   throws java.io.IOException,
                                          java.lang.ClassNotFoundException
        Only deserialize instances of expected classes by validating the class name prior to deserialization.
        Overrides:
        resolveClass in class java.io.ObjectInputStream
        Throws:
        java.io.IOException
        java.lang.ClassNotFoundException