org.owasp.dependencycheck.utils

Class ExpectedObjectInputStream

java.lang.Object

java.io.InputStream

java.io.ObjectInputStream

org.owasp.dependencycheck.utils.ExpectedObjectInputStream

All Implemented Interfaces:

java.io.Closeable, java.io.DataInput, java.io.ObjectInput, java.io.ObjectStreamConstants, java.lang.AutoCloseable

public class ExpectedObjectInputStream
extends java.io.ObjectInputStream

An ObjectInputStream that will only deserialize expected classes.

Version:

$Id: $Id

Author:

Jeremy Long

Nested Class Summary

Nested classes/interfaces inherited from class java.io.ObjectInputStream

java.io.ObjectInputStream.GetField

Field Summary

Fields inherited from interface java.io.ObjectStreamConstants

baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING

Constructor Summary

Constructors

Constructor and Description
ExpectedObjectInputStream(java.io.InputStream inputStream, java.lang.String... expected) Constructs a new ExpectedOjectInputStream that can be used to securely deserialize an object by restricting the classes that can deserialized to a known set of expected classes.

Method Summary

Modifier and Type	Method and Description
protected java.lang.Class<?>	resolveClass(java.io.ObjectStreamClass desc) Only deserialize instances of expected classes by validating the class name prior to deserialization.

Methods inherited from class java.io.ObjectInputStream

available, close, defaultReadObject, enableResolveObject, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, skipBytes

Methods inherited from class java.io.InputStream

mark, markSupported, read, reset, skip

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface java.io.ObjectInput

read, skip

Constructor Detail

ExpectedObjectInputStream

public ExpectedObjectInputStream(java.io.InputStream inputStream,
                                 java.lang.String... expected)
                          throws java.io.IOException

Constructs a new ExpectedOjectInputStream that can be used to securely deserialize an object by restricting the classes that can deserialized to a known set of expected classes.

Parameters:

inputStream - the input stream that contains the object to deserialize

expected - the fully qualified class names of the classes that can be deserialized

Throws:

java.io.IOException - thrown if there is an error reading from the stream

Method Detail

resolveClass

protected java.lang.Class<?> resolveClass(java.io.ObjectStreamClass desc)
                                   throws java.io.IOException,
                                          java.lang.ClassNotFoundException

Only deserialize instances of expected classes by validating the class name prior to deserialization.

Overrides:

resolveClass in class java.io.ObjectInputStream

Throws:

java.io.IOException

java.lang.ClassNotFoundException