com.atlassian.secrets.store.algorithm.serialization.SafeObjectInputStream

All Implemented Interfaces:: Closeable, DataInput, ObjectInput, ObjectStreamConstants, AutoCloseable

public class SafeObjectInputStream extends ObjectInputStream

This class is used to deserialize objects from a stream of bytes. It is used to prevent deserialization of objects that are not in the allowlist to prevent deserialization attacks.

Since:

3.2.4

See Also:

Deserialization of untrusted data

Nested Class Summary

Nested classes/interfaces inherited from class java.io.ObjectInputStream
ObjectInputStream.GetField
Field Summary

Fields inherited from interface java.io.ObjectStreamConstants
baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, SERIAL_FILTER_PERMISSION, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING
Constructor Summary

Constructors

Constructor

Description

SafeObjectInputStream(InputStream inputStream, Set<String> allowList)
Method Summary

Modifier and Type

Method

Description

protected Class<?>

resolveClass(ObjectStreamClass cls)

Methods inherited from class java.io.ObjectInputStream
available, close, defaultReadObject, enableResolveObject, getObjectInputFilter, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, setObjectInputFilter, skipBytes

Methods inherited from class java.io.InputStream
mark, markSupported, nullInputStream, read, readAllBytes, readNBytes, readNBytes, reset, skip, skipNBytes, transferTo

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface java.io.ObjectInput
read, skip

Constructor Details
- SafeObjectInputStream
  
  public SafeObjectInputStream(InputStream inputStream, Set<String> allowList) throws IOException
  
  Throws:
  
  IOException
Method Details
- resolveClass
  
  protected Class<?> resolveClass(ObjectStreamClass cls) throws IOException, ClassNotFoundException
  
  Overrides:
  
  resolveClass in class ObjectInputStream
  
  Throws:
  
  IOException
  
  ClassNotFoundException

Class SafeObjectInputStream

Nested Class Summary

Nested classes/interfaces inherited from class java.io.ObjectInputStream

Field Summary

Fields inherited from interface java.io.ObjectStreamConstants

Constructor Summary

Method Summary

Methods inherited from class java.io.ObjectInputStream

Methods inherited from class java.io.InputStream

Methods inherited from class java.lang.Object

Methods inherited from interface java.io.ObjectInput

Constructor Details

SafeObjectInputStream

Method Details

resolveClass