BATCHEE-74 blacklisting org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan in TCCLObjectInputStream
diff --git a/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java b/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java
index b88bc6f..e93e7bc 100755
--- a/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java
+++ b/jbatch/src/main/java/org/apache/batchee/container/util/TCCLObjectInputStream.java
@@ -23,6 +23,10 @@
import java.lang.reflect.Proxy;
public class TCCLObjectInputStream extends ObjectInputStream {
+ private static final BlacklistClassResolver BLACKLIST_CLASSES = new BlacklistClassResolver(System.getProperty(
+ "batchee.BlacklistClassResolver",
+ "org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan").split(" *, *"));
+
private final ClassLoader tccl;
public TCCLObjectInputStream(final InputStream in) throws IOException {
@@ -32,7 +36,7 @@
@Override
protected Class<?> resolveClass(final ObjectStreamClass desc) throws ClassNotFoundException {
- return Class.forName(desc.getName(), false, tccl);
+ return Class.forName(BLACKLIST_CLASSES.check(desc.getName()), false, tccl);
}
@Override
@@ -48,4 +52,23 @@
throw new ClassNotFoundException(null, e);
}
}
+
+ private static final class BlacklistClassResolver {
+ private final String[] blacklist;
+
+ protected BlacklistClassResolver(final String[] blacklist) {
+ this.blacklist = blacklist;
+ }
+
+ public final String check(final String name) {
+ if (blacklist != null) {
+ for (final String white : blacklist) {
+ if (name.startsWith(white)) {
+ throw new SecurityException(name + " is not whitelisted as deserialisable, prevented before loading.");
+ }
+ }
+ }
+ return name;
+ }
+ }
}