Skip to content

Commit c2aa751

Browse files
littleajlittleaj
committed
wrap ObjectOutputStream with strict version.
1 parent 0635aa3 commit c2aa751

File tree

1 file changed

+18
-2
lines changed

1 file changed

+18
-2
lines changed

core/src/main/java/com/microsoft/applicationinsights/internal/channel/common/TransmissionFileSystemOutput.java

Lines changed: 18 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,14 +23,15 @@
2323

2424
import java.io.File;
2525
import java.io.InputStream;
26+
import java.io.InvalidClassException;
2627
import java.io.ObjectInput;
2728
import java.io.FileInputStream;
2829
import java.io.BufferedInputStream;
2930
import java.io.ObjectInputStream;
3031
import java.io.FileNotFoundException;
3132
import java.io.IOException;
3233
import java.io.FileOutputStream;
33-
import java.io.OutputStream;
34+
import java.io.ObjectStreamClass;
3435
import java.io.BufferedOutputStream;
3536
import java.io.ObjectOutput;
3637
import java.io.ObjectOutputStream;
@@ -244,7 +245,7 @@ private Optional<Transmission> loadTransmission(File file) {
244245
if (file == null) {
245246
return Optional.absent();
246247
}
247-
try (ObjectInput input = new ObjectInputStream(new BufferedInputStream(new FileInputStream(file)))) {
248+
try (ObjectInput input = new SafeObjectInputStream(new BufferedInputStream(new FileInputStream(file)))) {
248249
transmission = (Transmission)input.readObject();
249250
} catch (FileNotFoundException e) {
250251
InternalLogger.INSTANCE.error("Failed to load transmission, file not found, exception: %s", e.toString());
@@ -257,6 +258,21 @@ private Optional<Transmission> loadTransmission(File file) {
257258
return Optional.fromNullable(transmission);
258259
}
259260

261+
private final static class SafeObjectInputStream extends ObjectInputStream {
262+
263+
public SafeObjectInputStream(InputStream in) throws IOException {
264+
super(in);
265+
}
266+
267+
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
268+
if (!desc.getName().equals(Transmission.class.getName()) && !desc.getName().equals(byte[].class.getName())) {
269+
throw new InvalidClassException("Cannot deserialize "+desc.getName());
270+
} else {
271+
return super.resolveClass(desc);
272+
}
273+
}
274+
}
275+
260276
private boolean renameToPermanentName(File tempTransmissionFile) {
261277
File transmissionFile = new File(folder, FilenameUtils.getBaseName(tempTransmissionFile.getName()) + TRANSMISSION_FILE_EXTENSION);
262278
try {

0 commit comments

Comments
 (0)