RFR: 8264859: Implement Context-Specific Deserialization Filters [v12]

Roger Riggs rriggs at openjdk.java.net
Fri May 28 20:07:37 UTC 2021 

On Fri, 28 May 2021 15:58:17 GMT, Daniel Fuchs <dfuchs at openjdk.org> wrote:

>> Roger Riggs has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 13 additional commits since the last revision:
>> 
>>  - Merge branch 'master' into 8264859-context-filter-factory
>>  - Added test for rejectUndecidedClass array cases
>>    Added test for preventing disabling filter factory
>>    Test cleanup
>>  - Editorial updates to review comments.
>>    Simplify the builtin filter factory implementation.
>>    Add atomic update to setting the filter factory.
>>    Clarify the description of OIS.setObjectInputFilter.
>>    Cleanup of the example code.
>>  - Editorial updates
>>    Updated java.security properties to include jdk.serialFilterFactory
>>    Added test cases to SerialFilterFactoryTest for java.security properties and
>>    enabling of the SecurityManager with existing policy permission files
>>    Corrected a test that OIS.setObjectInputFilter could not be called twice.
>>    Removed a Factory test that was not intended to be committed
>>  - Moved utility filter methods to be static on ObjectInputFilter
>>    Rearranged the class javadoc of OIF to describe the parts of
>>    deserialization filtering, filters, composite filters, and the filter factory.
>>    And other review comment updates...
>>  - Refactored tests for utility functions to SerialFilterFunctionTest.java
>>    Deleted confused Config.allowMaxLimits() method
>>    Updated example to match move of methods to Config
>>    Added test of restriction on setting the filterfactory after a OIS has been created
>>    Additional Editorial updates
>>  - Move merge and rejectUndecidedClass methods to OIF.Config
>>    As default methods on OIF, their implementations were not concrete and not trustable
>>  - Review suggestions included;
>>    Added @implSpec for default methods in OIF;
>>    Added restriction that the filter factory cannot be set after an ObjectInputStream has been created and applied the current filter factory
>>  - Editorial javadoc updated based on review comments.
>>    Clarified behavior of rejectUndecidedClass method.
>>    Example test added to check status returned from file.
>>  - Editorial updates to review comments
>>    Add filter tracing support
>>  - ... and 3 more: https://git.openjdk.java.net/jdk/compare/62744b1b...0930f0f8
>
> src/java.base/share/classes/java/io/ObjectInputFilter.java line 638:
> 
>> 636:             if (filterString != null) {
>> 637:                 configLog.log(INFO,
>> 638:                         "Creating deserialization filter from {0}", filterString);
> 
> Just double checking that you really want an `INFO` message here. With the default logging configuration, `INFO` messages will show up on the console.

That is unchanged in the PR, though DEBUG might be more appropriate.

> src/java.base/share/classes/java/io/ObjectInputFilter.java line 719:
> 
>> 717:          * @throws SecurityException if there is security manager and the
>> 718:          *       {@code SerializablePermission("serialFilter")} is not granted
>> 719:          * @throws IllegalStateException if the filter has already been set {@code non-null}
> 
> `* @throws IllegalStateException if the filter has already been set {@code non-null}`
> 
> Is there a typo/word missing ?

non-null is unnecessary.

-------------

PR: https://git.openjdk.java.net/jdk/pull/3996

More information about the core-libs-dev mailing list