Add serial filtering when deserializing classes

Author: ahornace

opengrok-indexer/src/main/java/org/opengrok/indexer/analysis/Definitions.java

@@ -18,14 +18,17 @@
  */
 
 /*
- * Copyright (c) 2008, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2021, Oracle and/or its affiliates. All rights reserved.
  * Portions Copyright (c) 2018, Chris Fraire <[email protected]>.
  */
 package org.opengrok.indexer.analysis;
 
+import org.opengrok.indexer.util.WhitelistObjectInputFilter;
+
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
+import java.io.ObjectInputFilter;
 import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
 import java.io.Serializable;
@@ -40,6 +43,19 @@ public class Definitions implements Serializable {
 
     private static final long serialVersionUID = 1191703801007779489L;
 
+    private static final ObjectInputFilter serialFilter = new WhitelistObjectInputFilter(
+            Definitions.class,
+            HashMap.class,
+            Map.Entry[].class,
+            Integer.class,
+            Number.class,
+            LineTagMap.class,
+            HashSet.class,
+            Tag.class,
+            ArrayList.class,
+            Object[].class
+    );
+
     // Per line sym -> tags mapping
     public static class LineTagMap implements Serializable {
 
@@ -284,9 +300,10 @@ public void addTag(int line, String symbol, String type, String text,
      * @throws IOException if an error happens when writing to the array
      */
     public byte[] serialize() throws IOException {
-        ByteArrayOutputStream bytes = new ByteArrayOutputStream();
-        new ObjectOutputStream(bytes).writeObject(this);
-        return bytes.toByteArray();
+        try (ByteArrayOutputStream bytes = new ByteArrayOutputStream(); var oos = new ObjectOutputStream(bytes)) {
+            oos.writeObject(this);
+            return bytes.toByteArray();
+        }
     }
 
     /**
@@ -300,10 +317,10 @@ public byte[] serialize() throws IOException {
      * @throws ClassCastException if the array contains an object of another
      * type than {@code Definitions}
      */
-    public static Definitions deserialize(byte[] bytes)
-            throws IOException, ClassNotFoundException {
-        ObjectInputStream in
-                = new ObjectInputStream(new ByteArrayInputStream(bytes));
-        return (Definitions) in.readObject();
+    public static Definitions deserialize(byte[] bytes) throws IOException, ClassNotFoundException {
+        try (ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(bytes))) {
+            in.setObjectInputFilter(serialFilter);
+            return (Definitions) in.readObject();
+        }
     }
 }

opengrok-indexer/src/main/java/org/opengrok/indexer/analysis/Scopes.java

@@ -22,9 +22,12 @@
  */
 package org.opengrok.indexer.analysis;
 
+import org.opengrok.indexer.util.WhitelistObjectInputFilter;
+
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
+import java.io.ObjectInputFilter;
 import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
 import java.io.Serializable;
@@ -38,6 +41,12 @@ public class Scopes implements Serializable {
 
     private static final long serialVersionUID = 1191703801007779489L;
 
+    private static final ObjectInputFilter serialFilter = new WhitelistObjectInputFilter(
+            Scopes.class,
+            TreeSet.class,
+            Scope.class
+    );
+
     /**
      * Note: this class has a natural ordering that is inconsistent with equals.
      */
@@ -164,10 +173,10 @@ public byte[] serialize() throws IOException {
      * @throws ClassCastException if the array contains an object of another
      * type than {@code Definitions}
      */
-    public static Scopes deserialize(byte[] bytes)
-            throws IOException, ClassNotFoundException {
-        ObjectInputStream in
-                = new ObjectInputStream(new ByteArrayInputStream(bytes));
-        return (Scopes) in.readObject();
+    public static Scopes deserialize(byte[] bytes) throws IOException, ClassNotFoundException {
+        try (ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(bytes))) {
+            in.setObjectInputFilter(serialFilter);
+            return (Scopes) in.readObject();
+        }
     }
 }

opengrok-indexer/src/main/java/org/opengrok/indexer/index/IndexAnalysisSettings.java

@@ -22,9 +22,12 @@
  */
 package org.opengrok.indexer.index;
 
+import org.opengrok.indexer.util.WhitelistObjectInputFilter;
+
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
+import java.io.ObjectInputFilter;
 import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
 import java.io.Serializable;
@@ -42,6 +45,8 @@ public final class IndexAnalysisSettings implements Serializable {
 
     private static final long serialVersionUID = 1172403004716059609L;
 
+    private static final ObjectInputFilter serialFilter = new WhitelistObjectInputFilter(IndexAnalysisSettings.class);
+
     private String projectName;
 
     /**
@@ -136,9 +141,10 @@ public void setAnalyzersVersions(Map<String, Long> values) {
      * OutputStream.
      */
     public byte[] serialize() throws IOException {
-        ByteArrayOutputStream bytes = new ByteArrayOutputStream();
-        new ObjectOutputStream(bytes).writeObject(this);
-        return bytes.toByteArray();
+        try (ByteArrayOutputStream bytes = new ByteArrayOutputStream(); var oos = new ObjectOutputStream(bytes)) {
+            oos.writeObject(this);
+            return bytes.toByteArray();
+        }
     }
 
     /**
@@ -152,11 +158,11 @@ public byte[] serialize() throws IOException {
      * @throws ClassCastException if the array contains an object of another
      * type than {@code IndexAnalysisSettings}
      */
-    public static IndexAnalysisSettings deserialize(byte[] bytes)
-            throws IOException, ClassNotFoundException {
-        ObjectInputStream in = new ObjectInputStream(
-            new ByteArrayInputStream(bytes));
-        return (IndexAnalysisSettings) in.readObject();
+    public static IndexAnalysisSettings deserialize(byte[] bytes) throws IOException, ClassNotFoundException {
+        try (ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(bytes))) {
+            in.setObjectInputFilter(serialFilter);
+            return (IndexAnalysisSettings) in.readObject();
+        }
     }
 
     private void readObject(ObjectInputStream in) throws ClassNotFoundException,

opengrok-indexer/src/main/java/org/opengrok/indexer/index/IndexAnalysisSettings3.java

@@ -22,9 +22,12 @@
  */
 package org.opengrok.indexer.index;
 
+import org.opengrok.indexer.util.WhitelistObjectInputFilter;
+
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
+import java.io.ObjectInputFilter;
 import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
 import java.io.Serializable;
@@ -42,6 +45,8 @@ public final class IndexAnalysisSettings3 implements Serializable {
 
     private static final long serialVersionUID = -4700122690707062276L;
 
+    private static final ObjectInputFilter serialFilter = new WhitelistObjectInputFilter(IndexAnalysisSettings3.class);
+
     private String projectName;
 
     /**
@@ -162,9 +167,10 @@ public void setIndexedSymlinks(Map<String, IndexedSymlink> values) {
      * OutputStream.
      */
     public byte[] serialize() throws IOException {
-        ByteArrayOutputStream bytes = new ByteArrayOutputStream();
-        new ObjectOutputStream(bytes).writeObject(this);
-        return bytes.toByteArray();
+        try (ByteArrayOutputStream bytes = new ByteArrayOutputStream(); var oos = new ObjectOutputStream(bytes)) {
+            oos.writeObject(this);
+            return bytes.toByteArray();
+        }
     }
 
     /**
@@ -178,11 +184,11 @@ public byte[] serialize() throws IOException {
      * @throws ClassCastException if the array contains an object of another
      * type than {@code IndexAnalysisSettings}
      */
-    public static IndexAnalysisSettings3 deserialize(byte[] bytes)
-            throws IOException, ClassNotFoundException {
-        ObjectInputStream in = new ObjectInputStream(
-            new ByteArrayInputStream(bytes));
-        return (IndexAnalysisSettings3) in.readObject();
+    public static IndexAnalysisSettings3 deserialize(byte[] bytes) throws IOException, ClassNotFoundException {
+        try (ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(bytes))) {
+            in.setObjectInputFilter(serialFilter);
+            return (IndexAnalysisSettings3) in.readObject();
+        }
     }
 
     @SuppressWarnings("Duplicates")

opengrok-indexer/src/main/java/org/opengrok/indexer/util/WhitelistObjectInputFilter.java

@@ -0,0 +1,45 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * See LICENSE.txt included in this distribution for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at LICENSE.txt.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.
+ */
+package org.opengrok.indexer.util;
+
+import org.jetbrains.annotations.NotNull;
+
+import java.io.ObjectInputFilter;
+import java.util.Set;
+
+public class WhitelistObjectInputFilter implements ObjectInputFilter {
+
+    private final Set<Class<?>> whitelist;
+
+    public WhitelistObjectInputFilter(@NotNull final Class<?>... whitelist) {
+        this.whitelist = Set.of(whitelist);
+    }
+
+    @Override
+    public Status checkInput(final FilterInfo filterInfo) {
+        if (filterInfo.serialClass() == null || whitelist.contains(filterInfo.serialClass())) {
+            return Status.ALLOWED;
+        }
+        return Status.REJECTED;
+    }
+}

opengrok-indexer/src/test/java/org/opengrok/indexer/analysis/ScopesTest.java

@@ -25,6 +25,8 @@
 import org.junit.jupiter.api.Test;
 import org.opengrok.indexer.analysis.Scopes.Scope;
 
+import java.io.IOException;
+
 import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
@@ -63,4 +65,14 @@ public void testGetScope() {
         assertEquals(instance.getScope(101), globalScope);
         assertEquals(instance.getScope(500), globalScope);
     }
+
+    @Test
+    void testSerialize() throws IOException, ClassNotFoundException {
+        Scopes scopes = new Scopes();
+        scopes.addScope(new Scope(1, 100, "name", "namespace", "signature"));
+        byte[] bytes = scopes.serialize();
+        Scopes deserialized = Scopes.deserialize(bytes);
+        assertEquals(1, deserialized.size());
+    }
+
 }

opengrok-indexer/src/test/java/org/opengrok/indexer/index/IndexAnalysisSettingsUpgraderTest.java

@@ -23,6 +23,7 @@
 package org.opengrok.indexer.index;
 
 import java.io.IOException;
+import java.io.InvalidClassException;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -32,7 +33,7 @@
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
-import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
@@ -123,13 +124,8 @@ public void shouldThrowIfVersionIsMisrepresented() throws IOException, ClassNotF
         byte[] bin = obj.serialize();
 
         IndexAnalysisSettingsUpgrader upgrader = new IndexAnalysisSettingsUpgrader();
-        IndexAnalysisSettings3 res = null;
-        try {
-            res = upgrader.upgrade(bin, 3); // wrong version
-        } catch (ClassCastException e) {
-            // expected
-        }
-        assertNull(res, "should not have produced an instance");
+        assertThrows(InvalidClassException.class, () -> upgrader.upgrade(bin, 3),
+                "should not have produced an instance");
     }
 
     @Test