RFR: 8264859: Implement Context-Specific Deserialization Filters [v13]

Daniel Fuchs dfuchs at openjdk.java.net
Mon May 31 16:03:38 UTC 2021 

On Mon, 31 May 2021 15:44:06 GMT, Roger Riggs <rriggs at openjdk.org> wrote:

>> JEP 415: Context-specific Deserialization Filters extends the deserialization filtering mechanisms with more flexible and customizable protections against malicious deserialization.  See JEP 415: https://openjdk.java.net/jeps/415.
>> The `java.io.ObjectInputFilter` and `java.io.ObjectInputStream` classes are extended with additional
>> configuration mechanisms and filter utilities.
>> 
>> javadoc for `ObjectInputFilter`, `ObjectInputFilter.Config`, and `ObjectInputStream`:
>>     http://cr.openjdk.java.net/~rriggs/filter-factory/java.base/java/io/ObjectInputFilter.html
>
> Roger Riggs has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 15 additional commits since the last revision:
> 
>  - Added protections to aid in auditing of filter and filter factory to
>    ensure effective filtering and compatibility with previous releases.
>    Fixed a bug in allow/rejectFilter()
>    Cleanup of error stages and messages related setting filter factory
>    with Config.setSerialFilterFactory.
>    Updated tests to match.
>  - Merge branch 'master' into 8264859-context-filter-factory
>  - Merge branch 'master' into 8264859-context-filter-factory
>  - Added test for rejectUndecidedClass array cases
>    Added test for preventing disabling filter factory
>    Test cleanup
>  - Editorial updates to review comments.
>    Simplify the builtin filter factory implementation.
>    Add atomic update to setting the filter factory.
>    Clarify the description of OIS.setObjectInputFilter.
>    Cleanup of the example code.
>  - Editorial updates
>    Updated java.security properties to include jdk.serialFilterFactory
>    Added test cases to SerialFilterFactoryTest for java.security properties and
>    enabling of the SecurityManager with existing policy permission files
>    Corrected a test that OIS.setObjectInputFilter could not be called twice.
>    Removed a Factory test that was not intended to be committed
>  - Moved utility filter methods to be static on ObjectInputFilter
>    Rearranged the class javadoc of OIF to describe the parts of
>    deserialization filtering, filters, composite filters, and the filter factory.
>    And other review comment updates...
>  - Refactored tests for utility functions to SerialFilterFunctionTest.java
>    Deleted confused Config.allowMaxLimits() method
>    Updated example to match move of methods to Config
>    Added test of restriction on setting the filterfactory after a OIS has been created
>    Additional Editorial updates
>  - Move merge and rejectUndecidedClass methods to OIF.Config
>    As default methods on OIF, their implementations were not concrete and not trustable
>  - Review suggestions included;
>    Added @implSpec for default methods in OIF;
>    Added restriction that the filter factory cannot be set after an ObjectInputStream has been created and applied the current filter factory
>  - ... and 5 more: https://git.openjdk.java.net/jdk/compare/c4cf067d...6d07298f

Marked as reviewed by dfuchs (Reviewer).

src/java.base/share/classes/java/io/ObjectInputFilter.java line 601:

> 599:          * @see Config#setSerialFilterFactory(BinaryOperator)
> 600:          */
> 601:         private static final AtomicBoolean filterFactoryNoReplace = new AtomicBoolean(false);

Nit: This could simply be `new AtomicBoolean()`; IIRC it saves a volatile write.

-------------

PR: https://git.openjdk.java.net/jdk/pull/3996

More information about the core-libs-dev mailing list