Re: svn commit: r1853691 - in /ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util: ObjectInputStream.java SafeObjectInputStream.java UtilObject.java

> Author: jleroux
> Date: Sat Feb 16 09:42:03 2019
> New Revision: 1853691
>
> URL: http://svn.apache.org/viewvc?rev=1853691&view=rev
> Log:
> Improved: Improve ObjectInputStream class
> (OFBIZ-10837)
>
> As reported by FindBugs and Sonar, it's troubling (a Bad practice in Sonar[1],
> a code smell in Findbugs[2]) when extending to use the same name than the
> extended Object
>
> [1] https://sbforge.org/sonar/rules/show/findbugs:NM_SAME_SIMPLE_NAME_AS_SUPERCLASS?layout=false
> [2] https://logging.apache.org/log4j/log4j-2.2/log4j-jul/findbugs.html
>
> Added:
>      ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java   (with props)
> Removed:
>      ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/ObjectInputStream.java
> Modified:
>      ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
>
> Added: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
> URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java?rev=1853691&view=auto
> ==============================================================================
> --- ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java (added)
> +++ ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java Sat Feb 16 09:42:03 2019
> @@ -0,0 +1,86 @@
> +/*******************************************************************************
> + * Licensed to the Apache Software Foundation (ASF) under one
> + * or more contributor license agreements.  See the NOTICE file
> + * distributed with this work for additional information
> + * regarding copyright ownership.  The ASF licenses this file
> + * to you under the Apache License, Version 2.0 (the
> + * "License"); you may not use this file except in compliance
> + * with the License.  You may obtain a copy of the License at
> + *
> + * http://www.apache.org/licenses/LICENSE-2.0
> + *
> + * Unless required by applicable law or agreed to in writing,
> + * software distributed under the License is distributed on an
> + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
> + * KIND, either express or implied.  See the License for the
> + * specific language governing permissions and limitations
> + * under the License.
> + *******************************************************************************/
> +package org.apache.ofbiz.base.util;
> +
> +import java.io.IOException;
> +import java.io.InputStream;
> +import java.io.ObjectStreamClass;
> +import java.lang.reflect.Proxy;
> +import java.util.List;
> +import java.util.regex.Pattern;
> +
> +/**
> + * ObjectInputStream
> + *
> + */
> +public class SafeObjectInputStream extends java.io.ObjectInputStream implements AutoCloseable {
> +
> +    private ClassLoader classloader;
> +    private Pattern WHITELIST_PATTERN = null;
> +
> +    public SafeObjectInputStream(InputStream in, ClassLoader loader) throws IOException {
> +        super(in);
> +        this.classloader = loader;
> +    }
> +
> +    public SafeObjectInputStream(InputStream in, ClassLoader loader, List<String> whitelist) throws IOException {
> +        super(in);
> +        this.classloader = loader;
> +        StringBuilder bld = new StringBuilder("(");
> +        for (int i = 0; i < whitelist.size(); i++) {
> +            bld.append(whitelist.get(i));
> +            if (i != whitelist.size() - 1) {
> +                bld.append("|");
> +            }
> +        }
> +        bld.append(")");
> +        WHITELIST_PATTERN = Pattern.compile(bld.toString());
> +    }
> +
> +
> +    /**
> +     * @see java.io.ObjectInputStream#resolveClass(java.io.ObjectStreamClass)
> +     */
> +    @Override
> +    protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
> +        if (!WHITELIST_PATTERN.matcher(classDesc.getName()).find()) {
> +            throw new ClassCastException("Incompatible class: " + classDesc.getName());
> +        }
> +
> +        return ObjectType.loadClass(classDesc.getName(), classloader);
> +    }
> +
> +    /**
> +     * @see java.io.ObjectInputStream#resolveProxyClass(java.lang.String[])
> +     */
> +    @Override
> +    protected Class<?> resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException {
> +        Class<?>[] cinterfaces = new Class<?>[interfaces.length];
> +        for (int i = 0; i < interfaces.length; i++) {
> +            cinterfaces[i] = classloader.loadClass(interfaces[i]);
> +        }
> +
> +        try {
> +            return Proxy.getProxyClass(classloader, cinterfaces);
> +        } catch (IllegalArgumentException e) {
> +            throw new ClassNotFoundException(null, e);
> +        }
> +
> +    }
> +}
>
> Propchange: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
> ------------------------------------------------------------------------------
>      svn:eol-style = native
>
> Propchange: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
> ------------------------------------------------------------------------------
>      svn:keywords = Date Rev Author URL Id
>
> Propchange: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
> ------------------------------------------------------------------------------
>      svn:mime-type = text/plain
>
> Modified: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
> URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java?rev=1853691&r1=1853690&r2=1853691&view=diff
> ==============================================================================
> --- ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java (original)
> +++ ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java Sat Feb 16 09:42:03 2019
> @@ -139,16 +139,12 @@ public final class UtilObject {
>  
>       /** Deserialize a byte array back to an object */
>       public static Object getObjectException(byte[] bytes) throws ClassNotFoundException, IOException {
> -        ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
> -        try {
> -            ObjectInputStream ois = new ObjectInputStream(bis, Thread.currentThread().getContextClassLoader());
> -            try {
> -                return ois.readObject();
> -            } finally {
> -                ois.close();
> -            }
> -        } finally {
> -            bis.close();
> +        try (ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
> +                SafeObjectInputStream wois = new SafeObjectInputStream(bis,
> +                        Thread.currentThread().getContextClassLoader(),
> +                        java.util.Arrays.asList("byte\\[\\]", "Number", "Long", "foo", "SerializationInjector"));
> +                ) { // byte[] used in EntityCrypto::doDecrypt, all others used in UtilObjectTests::testGetObject
> +            return wois.readObject();
>           }
>       }
>  
>
>
>

> Hi,
>
> There is a problem with this commit, I'm working on it...
>
> Jacques
>
> Le 16/02/2019 à 10:42, [hidden email] a écrit :
>> Author: jleroux
>> Date: Sat Feb 16 09:42:03 2019
>> New Revision: 1853691
>>
>> URL: http://svn.apache.org/viewvc?rev=1853691&view=rev
>> Log:
>> Improved: Improve ObjectInputStream class
>> (OFBIZ-10837)
>>
>> As reported by FindBugs and Sonar, it's troubling (a Bad practice in Sonar[1],
>> a code smell in Findbugs[2]) when extending to use the same name than the
>> extended Object
>>
>> [1] https://sbforge.org/sonar/rules/show/findbugs:NM_SAME_SIMPLE_NAME_AS_SUPERCLASS?layout=false
>> [2] https://logging.apache.org/log4j/log4j-2.2/log4j-jul/findbugs.html
>>
>> Added:
>> ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java (with props)
>> Removed:
>> ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/ObjectInputStream.java
>> Modified:
>> ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
>>
>> Added: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
>> URL:
>> http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java?rev=1853691&view=auto
>> ==============================================================================
>> --- ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java (added)
>> +++ ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java Sat Feb 16 09:42:03 2019
>> @@ -0,0 +1,86 @@
>> +/*******************************************************************************
>> + * Licensed to the Apache Software Foundation (ASF) under one
>> + * or more contributor license agreements.  See the NOTICE file
>> + * distributed with this work for additional information
>> + * regarding copyright ownership.  The ASF licenses this file
>> + * to you under the Apache License, Version 2.0 (the
>> + * "License"); you may not use this file except in compliance
>> + * with the License.  You may obtain a copy of the License at
>> + *
>> + * http://www.apache.org/licenses/LICENSE-2.0
>> + *
>> + * Unless required by applicable law or agreed to in writing,
>> + * software distributed under the License is distributed on an
>> + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>> + * KIND, either express or implied.  See the License for the
>> + * specific language governing permissions and limitations
>> + * under the License.
>> + *******************************************************************************/
>> +package org.apache.ofbiz.base.util;
>> +
>> +import java.io.IOException;
>> +import java.io.InputStream;
>> +import java.io.ObjectStreamClass;
>> +import java.lang.reflect.Proxy;
>> +import java.util.List;
>> +import java.util.regex.Pattern;
>> +
>> +/**
>> + * ObjectInputStream
>> + *
>> + */
>> +public class SafeObjectInputStream extends java.io.ObjectInputStream implements AutoCloseable {
>> +
>> +    private ClassLoader classloader;
>> +    private Pattern WHITELIST_PATTERN = null;
>> +
>> +    public SafeObjectInputStream(InputStream in, ClassLoader loader) throws IOException {
>> +        super(in);
>> +        this.classloader = loader;
>> +    }
>> +
>> +    public SafeObjectInputStream(InputStream in, ClassLoader loader, List<String> whitelist) throws IOException {
>> +        super(in);
>> +        this.classloader = loader;
>> +        StringBuilder bld = new StringBuilder("(");
>> +        for (int i = 0; i < whitelist.size(); i++) {
>> +            bld.append(whitelist.get(i));
>> +            if (i != whitelist.size() - 1) {
>> +                bld.append("|");
>> +            }
>> +        }
>> +        bld.append(")");
>> +        WHITELIST_PATTERN = Pattern.compile(bld.toString());
>> +    }
>> +
>> +
>> +    /**
>> +     * @see java.io.ObjectInputStream#resolveClass(java.io.ObjectStreamClass)
>> +     */
>> +    @Override
>> +    protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
>> +        if (!WHITELIST_PATTERN.matcher(classDesc.getName()).find()) {
>> +            throw new ClassCastException("Incompatible class: " + classDesc.getName());
>> +        }
>> +
>> +        return ObjectType.loadClass(classDesc.getName(), classloader);
>> +    }
>> +
>> +    /**
>> +     * @see java.io.ObjectInputStream#resolveProxyClass(java.lang.String[])
>> +     */
>> +    @Override
>> +    protected Class<?> resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException {
>> +        Class<?>[] cinterfaces = new Class<?>[interfaces.length];
>> +        for (int i = 0; i < interfaces.length; i++) {
>> +            cinterfaces[i] = classloader.loadClass(interfaces[i]);
>> +        }
>> +
>> +        try {
>> +            return Proxy.getProxyClass(classloader, cinterfaces);
>> +        } catch (IllegalArgumentException e) {
>> +            throw new ClassNotFoundException(null, e);
>> +        }
>> +
>> +    }
>> +}
>>
>> Propchange: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
>> ------------------------------------------------------------------------------
>>      svn:eol-style = native
>>
>> Propchange: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
>> ------------------------------------------------------------------------------
>>      svn:keywords = Date Rev Author URL Id
>>
>> Propchange: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
>> ------------------------------------------------------------------------------
>>      svn:mime-type = text/plain
>>
>> Modified: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
>> URL:
>> http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java?rev=1853691&r1=1853690&r2=1853691&view=diff
>> ==============================================================================
>> --- ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java (original)
>> +++ ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java Sat Feb 16 09:42:03 2019
>> @@ -139,16 +139,12 @@ public final class UtilObject {
>>         /** Deserialize a byte array back to an object */
>>       public static Object getObjectException(byte[] bytes) throws ClassNotFoundException, IOException {
>> -        ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
>> -        try {
>> -            ObjectInputStream ois = new ObjectInputStream(bis, Thread.currentThread().getContextClassLoader());
>> -            try {
>> -                return ois.readObject();
>> -            } finally {
>> -                ois.close();
>> -            }
>> -        } finally {
>> -            bis.close();
>> +        try (ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
>> +                SafeObjectInputStream wois = new SafeObjectInputStream(bis,
>> + Thread.currentThread().getContextClassLoader(),
>> +                        java.util.Arrays.asList("byte\\[\\]", "Number", "Long", "foo", "SerializationInjector"));
>> +                ) { // byte[] used in EntityCrypto::doDecrypt, all others used in UtilObjectTests::testGetObject
>> +            return wois.readObject();
>>           }
>>       }
>>
>>
>>
>