ValidatingObjectInputStream

java.lang.Object
- java.io.InputStream
- - java.io.ObjectInputStream
  - - org.openjdk.jmc.common.io.ValidatingObjectInputStream

All Implemented Interfaces:

java.io.Closeable, java.io.DataInput, java.io.ObjectInput, java.io.ObjectStreamConstants, java.lang.AutoCloseable
```
public class ValidatingObjectInputStream
extends java.io.ObjectInputStream
```
ObjectInputStream that validates the classes and count of objects and bytes read from it.
Reading must be done using the safeRead methods which sets validation parameters before reading. Any attempt to use read methods will be blocked.
See OWASP.

Nested Class Summary

Nested Classes
Modifier and Type	Class and Description
`private static class`	`ValidatingObjectInputStream.LimitedInputStream` Input stream that limits the amount of data that is permitted to be read.

Nested classes/interfaces inherited from class java.io.ObjectInputStream
java.io.ObjectInputStream.GetField

Field Summary

Fields
Modifier and Type	Field and Description
`private ValidatingObjectInputStream.LimitedInputStream`	`in`
`private int`	`maxObjects`
`private int`	`readObjects`
`private java.util.Collection<java.lang.Class<?>>`	`safeClasses`

Fields inherited from interface java.io.ObjectStreamConstants
baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING

Constructor Summary

Constructors
Modifier Constructor and Description

private ValidatingObjectInputStream(ValidatingObjectInputStream.LimitedInputStream in)

Constructors
Modifier	Constructor and Description
`private`	`ValidatingObjectInputStream(ValidatingObjectInputStream.LimitedInputStream in)`

Method Summary

All Methods Static Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`static ValidatingObjectInputStream`	`build(java.io.InputStream in)` Create a new input stream for reading objects.
`protected java.lang.Class<?>`	`resolveClass(java.io.ObjectStreamClass desc)`
`protected java.lang.Object`	`resolveObject(java.lang.Object obj)`
`long`	`safeReadLong()` Update validation parameters and read the next long from the stream.
`<T> T`	`safeReadObject(java.lang.Class<T> type, java.util.Collection<java.lang.Class<?>> safeClasses, int maxObjects, long maxBytes)` Update validation parameters and read the next object from the stream.
`private void`	`updateValidation(java.util.Collection<java.lang.Class<?>> safeClasses, int maxObjects, long maxBytes)`
`private void`	`zeroValidation()`

Methods inherited from class java.io.ObjectInputStream
available, close, defaultReadObject, enableResolveObject, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveProxyClass, skipBytes

Methods inherited from class java.io.InputStream
mark, markSupported, read, reset, skip

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface java.io.ObjectInput
read, skip

- Field Detail
  - in
```
private ValidatingObjectInputStream.LimitedInputStream in
```
  - safeClasses
```
private java.util.Collection<java.lang.Class<?>> safeClasses
```
  - maxObjects
```
private int maxObjects
```
  - readObjects
```
private int readObjects
```
- Constructor Detail
  - ValidatingObjectInputStream
```
private ValidatingObjectInputStream(ValidatingObjectInputStream.LimitedInputStream in)
                             throws java.io.IOException
```
    Throws:
    
    java.io.IOException
- Method Detail
  - build
```
public static ValidatingObjectInputStream build(java.io.InputStream in)
                                         throws java.io.IOException
```
    Create a new input stream for reading objects. This stream will be initialized so that no objects are permitted to be read. To read objects you should use safeReadObject(Class, Collection, int, long) which updates the validation parameters before reading.
    
    Parameters:
    
    in - stream to read from
    
    Returns:
    
    a new input stream for reading objects
    
    Throws:
    
    java.io.IOException - on I/O error
  - safeReadObject
```
public <T> T safeReadObject(java.lang.Class<T> type,
                            java.util.Collection<java.lang.Class<?>> safeClasses,
                            int maxObjects,
                            long maxBytes)
                     throws java.lang.ClassNotFoundException,
                            java.io.IOException,
                            java.lang.ClassCastException
```
    Update validation parameters and read the next object from the stream.
    
    Type Parameters:
    
    T - type of returned object
    
    Parameters:
    
    type - Type to return. This type will be whitelisted. If the stored object may be of a subclass to this type then the permitted subclasses must be included in safeClasses.
    
    safeClasses - Collection of whitelisted classes. This must include all classes used within the stored object.
    
    maxObjects - Maximum number of objects to read. This must be large enough to permit valid use, especially for collection objects.
    
    maxBytes - Maximum number of bytes to read from the stream. This must be large enough to permit valid use, especially for collection objects.
    
    Returns:
    
    the object read from the stream
    
    Throws:
    
    java.io.IOException - on I/O error
    
    java.lang.ClassNotFoundException - if the class of the stored object can't be found
    
    java.lang.ClassCastException - if the object is not of the specified type
  - safeReadLong
```
public long safeReadLong()
                  throws java.io.IOException
```
    Update validation parameters and read the next long from the stream.
    
    Returns:
    
    the long value read from the stream
    
    Throws:
    
    java.io.IOException - on I/O error
  - updateValidation
```
private void updateValidation(java.util.Collection<java.lang.Class<?>> safeClasses,
                              int maxObjects,
                              long maxBytes)
```
  - zeroValidation
```
private void zeroValidation()
```
  - resolveObject
```
protected java.lang.Object resolveObject(java.lang.Object obj)
                                  throws java.io.IOException
```
    Overrides:
    
    resolveObject in class java.io.ObjectInputStream
    
    Throws:
    
    java.io.IOException
  - resolveClass
```
protected java.lang.Class<?> resolveClass(java.io.ObjectStreamClass desc)
                                   throws java.io.IOException,
                                          java.lang.ClassNotFoundException
```
    Overrides:
    
    resolveClass in class java.io.ObjectInputStream
    
    Throws:
    
    java.io.IOException
    
    java.lang.ClassNotFoundException

Class ValidatingObjectInputStream

Nested Class Summary

Nested classes/interfaces inherited from class java.io.ObjectInputStream

Field Summary

Fields inherited from interface java.io.ObjectStreamConstants

Constructor Summary

Method Summary

Methods inherited from class java.io.ObjectInputStream

Methods inherited from class java.io.InputStream

Methods inherited from class java.lang.Object

Methods inherited from interface java.io.ObjectInput

Field Detail

in

safeClasses

maxObjects

readObjects

Constructor Detail

ValidatingObjectInputStream

Method Detail

build

safeReadObject

safeReadLong

updateValidation

zeroValidation

resolveObject

resolveClass