RFR 9: JEP 290: Filter Incoming Serialization Data
Peter Levart
peter.levart at gmail.com
Wed Jul 20 08:19:29 UTC 2016
Hi Roger,
On first reading, I have the following thoughts:
- The name "ObjectInputFilter" makes me think that it is a function that
"filters" the input stream (like a Predicate in
Stream::filter(Predicate)), but it is in fact a validator that
terminates deserialization on 1st rejection. So perhaps a different name
is in order - ObjectInputValidator ?
- I haven't found in the public javadocs, an explanation of what happens
when the filter returns ALLOWED, REJECTED or UNDECIDED. Docs just say
that the deserialization is terminated (on UNDECIDED too?) but not with
what exception (there is some explanation on OIS::filterCheck, but this
is a private method).
- The crux of behavioral docs is on the OIS::setObjectInputFilter
method. I would expect it to be on the ObjectInputFilter class, but I
understand that OIS subclasses might have a different behavior. How do
they behave indeed? For example IIOPInputStream does not use the filter,
right?
- I had some trouble to precisely understand the behavior from the docs
alone. The following in OIS::setObjectInputFilter:
1174 * @implSpec
1175 * The filter, when {@code non-null}, is invoked during
{@linkplain #readObject()}
1176 * for each object (regular or class) in the stream including
the following:
1177 * <ul>
1178 * <li>each object reference previously deserialized from
the stream,
1179 * <li>each regular class,
1180 * <li>each interface of a dynamic proxy and the dynamic
proxy class itself,
1181 * <li>each array is filtered using the array size and the
type of the array,
1182 * <li>each object replaced by its class' {@code
readResolve} method
1183 * is filtered using the replacement object's class and
if it is an array, the length,
1184 * <li>and each object replaced by {@linkplain
#resolveObject resolveObject}
1185 * is filtered using the replacement object's class and
if it is an array, the length.
1186 * </ul>
1187 *
1188 * When the {@link ObjectInputFilter#checkInput checkInput}
method is invoked
1189 * it is passed the current class, (null if no class),
...does not specify when the passed-in class might be "null". Reading
the implementation, I see it is null when a back reference to previously
deserialized object is read from stream, but javadocs are not clear
about that.
- I wonder if invoking the filter for each interface of a dynamic proxy
is necessary (other properties passed to the filter don't change during
iteration through the interfaces and each interface call-back is not an
indicator that an object is about to be read-in next). This is not
uniform with other objects where the filter is invoked only once. Why is
a dynamic proxy so special? If one wants to check the proxy interfaces
in the filter, she can obtain them manually:
if (Proxy.isProxyClass(clazz)) {
for (Class<?> intf : class.getInterfaces()) {
...
}
}
- The docs might be more clear about when precisely the filter is
invoked (i.e. after the type of the object and possible length of array
or the back reference has already been read from the stream, but the
object state has not been read yet). This is important to correctly
interpret the streamBytes parameter. The docs might also be more clear
about when the nRefs is incremented (it says: "for each call". Is it
before or after the call?).
- What is the purpose of the UNDECIDED return? I suspect it is meant to
be used in some filter implementation that delegates the validation to
some "parent" filter and respects its decision unless it is UNDECIDED in
which case it decides (or does not) on its own. Should such strategy be
mentioned in the docs to encourage inter-operable filter implementations?
- The call-back is invoked after the type of the object and possible
array length is read from stream but before the object's state is read.
Suppose that the object that is about to be read is either
Externalizable object or an object with a readObject() method(s) that
consume block data from the stream. This block data can be large. Should
there be a call-back to "announce" the block data too? (for example,
when the 'clazz' is null and the 'size' is 0, the call-back reports a
back-reference to a previously read object, but when the 'clazz' is null
and the 'size' > 0, it announces the 'size' bytes of block data. Does
this make sense?)
That's it for the start. If I notice something else, I'll post again.
Regards, Peter
On 07/19/2016 04:02 PM, Roger Riggs wrote:
> Please review the design, implementation, and tests of JEP 290: Filter
> Incoming Serialization Data[1]
>
> It allows incoming streams of object-serialization data to be filtered
> in order to improve both security and robustness.
> The JEP[1] has more detail on the background and scope.
>
> The core mechanism is a filter interface implemented by serialization
> clients and set on an |ObjectInputStream|. The filter is called during
> the deserialization process to validate the classes being
> deserialized, the sizes of arrays being created, and metrics
> describing stream length, stream depth, and number of references as
> the stream is being decoded.
>
> A process-wide filter can be configured that is applied to every
> ObjectInputStream.
> The API of ObjectInputStream can be used to set a custom filter to
> supersede or augment the process-wide filter.
>
> Webrev:
> http://cr.openjdk.java.net/~rriggs/webrev-serial-filter-jdk9-8155760/
>
> SpecDiff:
> http://cr.openjdk.java.net/~rriggs/filter-diffs/overview-summary.html
>
> Javadoc (subset)
> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputStream.html
>
> http://cr.openjdk.java.net/~rriggs/filter-javadoc/java/io/ObjectInputFilter.html
>
>
> Comments appreciated, Roger
>
> [1] JEP 290: https://bugs.openjdk.java.net/browse/JDK-8154961
>
More information about the core-libs-dev
mailing list