RFR: 8264859: Implement Context-Specific Deserialization Filters [v9]

Peter Levart plevart at openjdk.java.net
Wed May 26 06:40:20 UTC 2021 

On Tue, 25 May 2021 21:45:33 GMT, Roger Riggs <rriggs at openjdk.org> wrote:

>> JEP 415: Context-specific Deserialization Filters extends the deserialization filtering mechanisms with more flexible and customizable protections against malicious deserialization.  See JEP 415: https://openjdk.java.net/jeps/415.
>> The `java.io.ObjectInputFilter` and `java.io.ObjectInputStream` classes are extended with additional
>> configuration mechanisms and filter utilities.
>> 
>> javadoc for `ObjectInputFilter`, `ObjectInputFilter.Config`, and `ObjectInputStream`:
>>     http://cr.openjdk.java.net/~rriggs/filter-factory/java.base/java/io/ObjectInputFilter.html
>
> Roger Riggs has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Editorial updates
>   Updated java.security properties to include jdk.serialFilterFactory
>   Added test cases to SerialFilterFactoryTest for java.security properties and
>   enabling of the SecurityManager with existing policy permission files
>   Corrected a test that OIS.setObjectInputFilter could not be called twice.
>   Removed a Factory test that was not intended to be committed

Changes requested by plevart (Reviewer).

src/java.base/share/classes/java/io/ObjectInputStream.java line 81:

> 79:  * The {@linkplain #ObjectInputStream() ObjectInputStream constructors} invoke the filter factory
> 80:  * to select the initial filter and it is updated by {@link #setObjectInputFilter}.
> 81:  * <p>

Strange statement: "The OIS constructors invoke the filter factory to select the initial filter and it is updated by ..."
What about: "The OIS constructors invoke the filter factory to select the initial filter which may be updated / replaced by setObjectInputFilter"

src/java.base/share/classes/java/io/ObjectInputStream.java line 1265:

> 1263:      * must return a non-null filter. It is not permitted to remove filtering once established.
> 1264:      * See the {@linkplain ObjectInputFilter filter models} for examples of composition and delegation.
> 1265:      *

Hi Roger,
When I first read this javadoc, I was a little confused and had to peek into the implementation. After that, I understood the above text, but without peeking and in-depth knowledge, I couldn't. The confusing part is the apparently conflicting claims made by 1st vs. 2nd paragraph. Both talk about setting the deserialization filter - the 1st just says "set the deserialization filter for the stream", and with the `setObjectInputFilter` method having a sole `filter` parameter, together these establish a simple picture - ah, just a setter method. But no, the 2nd paragraph talks about something entirely different which doesn't fit into the established picture. So would it be possible to rephrase that 1st paragraph somehow? Or what about starting with 2nd paragraph: "Set the deserialization filter for the stream to the filter returned by invoking ...." followed by 1st paragraph: "The filter can be set and only set once before reading any objects..."

-------------

PR: https://git.openjdk.java.net/jdk/pull/3996

More information about the core-libs-dev mailing list