Addded some controls on classes that can be deserialized; Bumped up s…

…ome plugin dependencies, and some dependencies; Fixed some javadoc issues; Fixed some Maven issues
apache · Dec 16, 2024 · 8343963 · 8343963
1 parent e1eaa67
commit 8343963
Show file tree

Hide file tree

Showing 22 changed files with 1,548 additions and 100 deletions.
diff --git a/mina-core/pom.xml b/mina-core/pom.xml
@@ -52,6 +52,7 @@
             <Export-Package>
               org.apache.mina.core;version=${project.version};-noimport:=true,
               org.apache.mina.core.buffer;version=${project.version};-noimport:=true,
+              org.apache.mina.core.buffer.matcher;version=${project.version};-noimport:=true,
               org.apache.mina.core.file;version=${project.version};-noimport:=true,
               org.apache.mina.core.filterchain;version=${project.version};-noimport:=true,
               org.apache.mina.core.future;version=${project.version};-noimport:=true,

diff --git a/mina-core/src/main/java/org/apache/mina/core/buffer/AbstractIoBuffer.java b/mina-core/src/main/java/org/apache/mina/core/buffer/AbstractIoBuffer.java
@@ -43,8 +43,16 @@
 import java.nio.charset.CharsetEncoder;
 import java.nio.charset.CoderResult;
 import java.nio.charset.StandardCharsets;
+import java.util.ArrayList;
 import java.util.EnumSet;
+import java.util.List;
 import java.util.Set;
+import java.util.regex.Pattern;
+
+import org.apache.mina.core.buffer.matcher.ClassNameMatcher;
+import org.apache.mina.core.buffer.matcher.FullClassNameMatcher;
+import org.apache.mina.core.buffer.matcher.RegexpClassNameMatcher;
+import org.apache.mina.core.buffer.matcher.WildcardClassNameMatcher;
 
 /**
  * A base implementation of {@link IoBuffer}.  This implementation
@@ -80,6 +88,8 @@ public abstract class AbstractIoBuffer extends IoBuffer {
     /** A mask for an int */
     private static final long INT_MASK = 0xFFFFFFFFL;
 
+    private final List<ClassNameMatcher> acceptMatchers = new ArrayList<>();
+
     /**
      * We don't have any access to Buffer.markValue(), so we need to track it down,
      * which will cause small extra overhead.
@@ -2158,40 +2168,60 @@ public Object getObject(final ClassLoader classLoader) throws ClassNotFoundExcep
         limit(position() + length);
 
         try (ObjectInputStream in = new ObjectInputStream(asInputStream()) {
-                @Override
-                protected ObjectStreamClass readClassDescriptor() throws IOException, ClassNotFoundException {
-                    int type = read();
-                    if (type < 0) {
-                        throw new EOFException();
-                    }
-                    switch (type) {
+            @Override
+            protected ObjectStreamClass readClassDescriptor() throws IOException, ClassNotFoundException {
+                int type = read();
+
+                if (type < 0) {
+                    throw new EOFException();
+                }
+
+                switch (type) {
                     case 0: // NON-Serializable class or Primitive types
                         return super.readClassDescriptor();
+
                     case 1: // Serializable class
                         String className = readUTF();
                         Class<?> clazz = Class.forName(className, true, classLoader);
+
                         return ObjectStreamClass.lookup(clazz);
+
                     default:
                         throw new StreamCorruptedException("Unexpected class descriptor type: " + type);
-                    }
                 }
+            }
 
-                @Override
-                protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
-                    Class<?> clazz = desc.forClass();
+            @Override
+            protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
+                Class<?> clazz = desc.forClass();
 
-                    if (clazz == null) {
-                        String name = desc.getName();
-                        try {
-                            return Class.forName(name, false, classLoader);
-                        } catch (ClassNotFoundException ex) {
-                            return super.resolveClass(desc);
+                if (clazz == null) {
+                    String name = desc.getName();
+
+                    try {
+                        return Class.forName(name, false, classLoader);
+                    } catch (ClassNotFoundException ex) {
+                        return super.resolveClass(desc);
+                    }
+                } else {
+                    boolean found = false;
+                    String className = desc.getName();
+
+                    for (ClassNameMatcher matcher : acceptMatchers) {
+                        if (matcher.matches(className)) {
+                            found = true;
+                            break;
                         }
-                    } else {
+                    }
+
+                    if (found) {
                         return clazz;
                     }
+
+                    throw new ClassNotFoundException();
                 }
-            }) {
+            }
+        }) {
             return in.readObject();
         } catch (IOException e) {
             throw new BufferDataException(e);
@@ -2744,4 +2774,61 @@ private static void checkFieldSize(int fieldSize) {
             throw new IllegalArgumentException("fieldSize cannot be negative: " + fieldSize);
         }
     }
-}
+
+    /**
+     * Accept the specified classes for deserialization, unless they
+     * are otherwise rejected.
+     *
+     * @param classes Classes to accept
+     * @return this object
+     */
+    public IoBuffer accept(Class<?>... classes) {
+        for (Class<?> clazz:classes) {
+            acceptMatchers.add(new FullClassNameMatcher(clazz.getName()));
+        }
+
+        return this;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public IoBuffer accept(ClassNameMatcher m) {
+        acceptMatchers.add(m);
+
+        return this;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public IoBuffer accept(Pattern pattern) {
+        acceptMatchers.add(new RegexpClassNameMatcher(pattern));
+
+        return this;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public IoBuffer accept(String... patterns) {
+        for (String pattern:patterns) {
+            acceptMatchers.add(new WildcardClassNameMatcher(pattern));
+        }
+
+        return this;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public void setMatchers(List<ClassNameMatcher> matchers) {
+        acceptMatchers.clear();
+
+        for (ClassNameMatcher matcher:matchers) {
+            acceptMatchers.add(matcher);
+        }
+    }}
diff --git a/mina-core/src/main/java/org/apache/mina/core/buffer/IoBuffer.java b/mina-core/src/main/java/org/apache/mina/core/buffer/IoBuffer.java
@@ -35,7 +35,11 @@
 import java.nio.charset.CharsetDecoder;
 import java.nio.charset.CharsetEncoder;
 import java.util.EnumSet;
+import java.util.List;
 import java.util.Set;
+import java.util.regex.Pattern;
+
+import org.apache.mina.core.buffer.matcher.ClassNameMatcher;
 
 import org.apache.mina.core.session.IoSession;
 
@@ -2111,4 +2115,39 @@ public abstract IoBuffer putPrefixedString(CharSequence val, int prefixLength, i
      * @return the modified IoBuffer
      */
     public abstract <E extends Enum<E>> IoBuffer putEnumSetLong(int index, Set<E> set);
+
+    /**
+     * Accept class names where the supplied ClassNameMatcher matches for
+     * deserialization, unless they are otherwise rejected.
+     *
+     * @param m the matcher to use
+     * @return this object
+     */
+    public abstract IoBuffer accept(ClassNameMatcher m);
+
+    /**
+     * Accept class names that match the supplied pattern for
+     * deserialization, unless they are otherwise rejected.
+     *
+     * @param pattern standard Java regexp
+     * @return this object
+     */
+    public abstract IoBuffer accept(Pattern pattern);
+
+    /**
+     * Accept the wildcard specified classes for deserialization,
+     * unless they are otherwise rejected.
+     *
+     * @param patterns Wildcard file name patterns as defined by
+     *                  {@link org.apache.commons.io.FilenameUtils#wildcardMatch(String, String) FilenameUtils.wildcardMatch}
+     * @return this object
+     */
+    public abstract IoBuffer accept(String... patterns);
+
+    /**
+     * Set the list of class matchers for in incoming buffer
+     * 
+     * @param matchers The list of matchers
+     */
+    public abstract void setMatchers(List<ClassNameMatcher> matchers);
 }
diff --git a/mina-core/src/main/java/org/apache/mina/core/buffer/IoBufferWrapper.java b/mina-core/src/main/java/org/apache/mina/core/buffer/IoBufferWrapper.java
@@ -33,7 +33,13 @@
 import java.nio.charset.CharacterCodingException;
 import java.nio.charset.CharsetDecoder;
 import java.nio.charset.CharsetEncoder;
+import java.util.List;
 import java.util.Set;
+import java.util.regex.Pattern;
+
+import org.apache.mina.core.buffer.matcher.ClassNameMatcher;
+import org.apache.mina.core.buffer.matcher.RegexpClassNameMatcher;
+import org.apache.mina.core.buffer.matcher.WildcardClassNameMatcher;
 
 /**
  * A {@link IoBuffer} that wraps a buffer and proxies any operations to it.
@@ -1542,4 +1548,35 @@ public IoBuffer putUnsigned(int index, long value) {
         buf.putUnsigned(index, value);
         return this;
     }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public IoBuffer accept(ClassNameMatcher m) {
+        return buf.accept(m);
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public IoBuffer accept(Pattern pattern) {
+        return buf.accept(pattern);
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public IoBuffer accept(String... patterns) {
+        return buf.accept(patterns);
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public void setMatchers(List<ClassNameMatcher> matchers) {
+        buf.setMatchers(matchers);
+    }
 }
diff --git a/mina-core/src/main/java/org/apache/mina/core/buffer/matcher/ClassNameMatcher.java b/mina-core/src/main/java/org/apache/mina/core/buffer/matcher/ClassNameMatcher.java
@@ -0,0 +1,32 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.mina.core.buffer.matcher;
+
+/**
+ * An object that matches a Class name to a condition.
+ */
+public interface ClassNameMatcher {
+    /**
+     * Returns {@code true} if the supplied class name matches this object's condition.
+     *
+     * @param className fully qualified class name
+     * @return {@code true} if the class name matches this object's condition
+     */
+    boolean matches(String className);
+}