RFR: 8264859: Implement Context-Specific Deserialization Filters [v4]

Brent Christian bchristi at openjdk.java.net
Sat May 22 00:43:13 UTC 2021 

On Fri, 21 May 2021 17:47:53 GMT, Roger Riggs <rriggs at openjdk.org> wrote:

>> JEP 415: Context-specific Deserialization Filters extends the deserialization filtering mechanisms with more flexible and customizable protections against malicious deserialization.  See JEP 415: https://openjdk.java.net/jeps/415.
>> The `java.io.ObjectInputFilter` and `java.io.ObjectInputStream` classes are extended with additional
>> configuration mechanisms and filter utilities.
>> 
>> javadoc for `ObjectInputFilter`, `ObjectInputFilter.Config`, and `ObjectInputStream`:
>>     http://cr.openjdk.java.net/~rriggs/filter-factory/java.base/java/io/ObjectInputFilter.html
>
> Roger Riggs has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Editorial updates to review comments
>   Add filter tracing support

Changes requested by bchristi (Reviewer).

src/java.base/share/classes/java/io/ObjectInputFilter.java line 84:

> 82:  *
> 83:  * <p> When a filter is set on an {@link ObjectInputStream}, the {@link #checkInput checkInput(FilterInfo)}
> 84:  * method is called to validate classes, the length of each array,

This sounds a bit like checkInput() is called at the time that the filter is set.  I'd recommend something like, "If a filter is set on an ObjectInputStream, the checkInput() method is called during deserialization to validate..."

src/java.base/share/classes/java/io/ObjectInputFilter.java line 123:

> 121:  * the depth, number of references, and stream size and return a status
> 122:  * that reflects only one or only some of the values.
> 123:  * This allows a filter to specific about the choice it is reporting and

...to _**be**_ specific ?

src/java.base/share/classes/java/io/ObjectInputFilter.java line 386:

> 384:      * {@link ObjectInputStream#setObjectInputFilter(ObjectInputFilter) ObjectInputStream.setObjectInputFilter}.
> 385:      * If {@code ObjectInputStream.setObjectInputFilter} is called, the filter factory is called a second time
> 386:      * with the initial filter returned from the first call and the requested new filter.

Maybe shorten to, "with the stream's initial filter, and the requested new filter."

src/java.base/share/classes/java/io/ObjectInputFilter.java line 404:

> 402:      * The JVM-wide filter is configured during the initialization of the
> 403:      * {@code ObjectInputFilter.Config} class.
> 404:      * For example, by calling {@link #getSerialFilter() Config.getSerialFilter}.

Can the "For example..." sentence be removed?

src/java.base/share/classes/java/io/ObjectInputFilter.java line 423:

> 421:      * The class must be public, must have a public zero-argument constructor, implement the
> 422:      * {@link BinaryOperator {@literal BinaryOperator<ObjectInputFilter>}} interface, provide its implementation and
> 423:      * be accessible via the {@linkplain ClassLoader#getSystemClassLoader() the application class loader}.

two "the"s

src/java.base/share/classes/java/io/ObjectInputFilter.java line 1258:

> 1256:             /**
> 1257:              * Apply the filter and return the status if not UNDECIDED and checking a class.
> 1258:              * Make an exception for Primitive classes that are implicitly allowed by the pattern based filte.

filte -> filter

src/java.base/share/classes/java/io/ObjectInputStream.java line 200:

> 198:  * and every object read from the stream can be checked.
> 199:  * The {@linkplain #ObjectInputStream() ObjectInputStream constructors} invoke the filter factory
> 200:  * to select the initial filter and it is updated by {@link #setObjectInputFilter}.

In ObjectInputFilter, the `"The deserialization filter for a stream is determined in one of the following ways"` section has a good description of the various pieces and how they work together to determine a stream's filter.  I would consider leaning on that to provide the details, and have a shorter, high-level description here.  For instance:

"Each stream has an optional deserialization filter to check the classes and resource limits during deserialization.  The filter can be set for all streams JVM-wide, or customized on a per-stream basis.  See `<link to "The deserialization for a stream is determined...." section of ObjectInputFilter>` for details on how the filter for a stream is determined.
ObjectInputFilter describes how to use filters and..."

src/java.base/share/classes/java/io/ObjectInputStream.java line 370:

> 368:      *
> 369:      * <p>The serialization filter is initialized to the filter returned
> 370:      * by invoking the {@link Config#getSerialFilterFactory()} with {@code null} for the current filter

`linkplain` to "JVM-wide filter factory" ?

src/java.base/share/classes/java/io/ObjectInputStream.java line 371:

> 369:      * <p>The serialization filter is initialized to the filter returned
> 370:      * by invoking the {@link Config#getSerialFilterFactory()} with {@code null} for the current filter
> 371:      * and {@linkplain  Config#getSerialFilter() static JVM-wide filter} for the requested filter.

"and _**the**_ static JVM-wide filter for the..."

src/java.base/share/classes/java/io/ObjectInputStream.java line 408:

> 406:      * <p>The serialization filter is initialized to the filter returned
> 407:      * by invoking the {@link Config#getSerialFilterFactory()} with {@code null} for the current filter
> 408:      * and {@linkplain  Config#getSerialFilter() static JVM-wide filter} for the requested filter.

Same comments as the other constructor.

src/java.base/share/classes/java/io/ObjectInputStream.java line 1256:

> 1254:     /**
> 1255:      * Set the deserialization filter for the stream.
> 1256:      * The filter must be set and only set once before reading any objects from the stream;

"The filter can only be set once, and must be set before..." ?

src/java.base/share/classes/java/io/ObjectInputStream.java line 1260:

> 1258:      *
> 1259:      * <p>The serialization filter is set to the filter returned
> 1260:      * by invoking the {@link Config#getSerialFilterFactory()}

linkplain to "JVM-wide filter factory" ?

src/java.base/share/classes/java/io/ObjectInputStream.java line 1263:

> 1261:      * with the current filter and the {@code filter} parameter.
> 1262:      * If there is a non-null filter for the stream, one was set in the constructor, and the filter factory
> 1263:      * must return a non-null filter, it is not permitted to remove filtering once established.

New sentence for, "it is not permitted..." ?

src/java.base/share/classes/java/io/ObjectInputStream.java line 1327:

> 1325:      *       if the filter factory returns {@code null} when the
> 1326:      *       {@linkplain #getObjectInputFilter() current filter} is non-null, or
> 1327:      *       if the filter has already been.

if the filter has already been **_set_**

-------------

PR: https://git.openjdk.java.net/jdk/pull/3996

More information about the core-libs-dev mailing list