RFR: 8264859: Implement Context-Specific Deserialization Filters [v9]

Brent Christian bchristi at openjdk.java.net
Tue May 25 23:43:24 UTC 2021 

On Tue, 25 May 2021 21:45:33 GMT, Roger Riggs <rriggs at openjdk.org> wrote:

>> JEP 415: Context-specific Deserialization Filters extends the deserialization filtering mechanisms with more flexible and customizable protections against malicious deserialization.  See JEP 415: https://openjdk.java.net/jeps/415.
>> The `java.io.ObjectInputFilter` and `java.io.ObjectInputStream` classes are extended with additional
>> configuration mechanisms and filter utilities.
>> 
>> javadoc for `ObjectInputFilter`, `ObjectInputFilter.Config`, and `ObjectInputStream`:
>>     http://cr.openjdk.java.net/~rriggs/filter-factory/java.base/java/io/ObjectInputFilter.html
>
> Roger Riggs has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Editorial updates
>   Updated java.security properties to include jdk.serialFilterFactory
>   Added test cases to SerialFilterFactoryTest for java.security properties and
>   enabling of the SecurityManager with existing policy permission files
>   Corrected a test that OIS.setObjectInputFilter could not be called twice.
>   Removed a Factory test that was not intended to be committed

src/java.base/share/classes/java/io/ObjectInputFilter.java line 513:

> 511:      * the static JVM-wide filter, or to create a filter from a pattern string.
> 512:      * The static filter factory and the static filter apply to the whole Java runtime,
> 513:      * or "JVM-wide", there is only one of each, for a complete description of

Suggest new sentence after "_...there is only one of each.  For a complete..._"

src/java.base/share/classes/java/io/ObjectInputFilter.java line 551:

> 549:     final class Config {
> 550:         /**
> 551:          * Lock object for filter and filter factory.

The lock is not used for the filter factory, is it?

src/java.base/share/classes/java/io/ObjectInputFilter.java line 768:

> 766:          * This package private method is *only* called by {@link ObjectInputStream#ObjectInputStream()}
> 767:          * and  {@link ObjectInputStream#ObjectInputStream(InputStream)}.
> 768:          * {@link ObjectInputFilter.Config#serialFilterFactory} does the enforcement.

Is this still true about the enforcement?

src/java.base/share/classes/java/io/ObjectInputFilter.java line 1251:

> 1249:              * Returns REJECTED if either of the filters returns REJECTED,
> 1250:              * otherwise, ALLOWED if either of the filters returns ALLOWED.
> 1251:              * otherwise, returns {@code UNDECIDED}.

Capitalize "Otherwise"

src/java.base/share/classes/java/io/ObjectInputFilter.java line 1256:

> 1254:              * @return REJECTED if either of the filters returns REJECTED,
> 1255:              *          otherwise, ALLOWED if either of the filters returns ALLOWED.
> 1256:              *          otherwise, returns {@code UNDECIDED}.

Otherwise

-------------

PR: https://git.openjdk.java.net/jdk/pull/3996

More information about the core-libs-dev mailing list