RFR: 8264859: Implement Context-Specific Deserialization Filters [v3]

Daniel Fuchs dfuchs at openjdk.java.net
Thu May 20 19:52:32 UTC 2021 

On Thu, 20 May 2021 16:10:11 GMT, Roger Riggs <rriggs at openjdk.org> wrote:

>> JEP 415: Context-specific Deserialization Filters extends the deserialization filtering mechanisms with more flexible and customizable protections against malicious deserialization.  See JEP 415: https://openjdk.java.net/jeps/415.
>> The `java.io.ObjectInputFilter` and `java.io.ObjectInputStream` classes are extended with additional
>> configuration mechanisms and filter utilities.
>> 
>> javadoc for `ObjectInputFilter`, `ObjectInputFilter.Config`, and `ObjectInputStream`:
>>     http://cr.openjdk.java.net/~rriggs/filter-factory/java.base/java/io/ObjectInputFilter.html
>
> Roger Riggs has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Simplify factory interface to BinaryOperator<ObjectInputFilter> and cleanup the example

src/java.base/share/classes/java/io/ObjectInputStream.java line 201:

> 199:  *     when a filter is set for a stream.
> 200:  *     The filter factory determines the filter to be used for each stream based
> 201:  *     on its inputs, thread context, other filters, or state that is available.

Maybe a link to the ObjectInputFilter API documentation where it is explained what the two filters passed to the factory are in each of these cases should be provided here.

Namely: 

- in the constructor, `factory.apply(null, Config.getSerialFilter())` is invoked.
- in `setObjectInputFilter(newfilter)`, `factory.apply(filter, newFilter)` is invoked - where `filter` is the filter that the stream is currently using.

Or maybe link to the constructor and setObjectInputFilter method where this is explained.

src/java.base/share/classes/java/io/ObjectInputStream.java line 204:

> 202:  * <li>If a JVM-wide filter factory is not set, a builtin deserialization filter factory
> 203:  *     provides the {@link Config#getSerialFilter static JVM-wide filter} when invoked from the
> 204:  *     {@link ObjectInputStream#ObjectInputStream(InputStream) ObjectInputStream constructors}

These two links should be `{@linkplain ...}`

src/java.base/share/classes/java/io/ObjectInputStream.java line 1255:

> 1253:      * Returns the serialization filter for this stream.
> 1254:      * The filter is the result of invoking the
> 1255:      * {@link Config#getSerialFilterFactory() JVM-wide filter factory}

`{@linkplain }`

-------------

PR: https://git.openjdk.java.net/jdk/pull/3996

More information about the core-libs-dev mailing list