Feature - allowedClasses setting added to SerializationCodec https://github.com/redisson/redisson/security/code-scanning/4

Nikita Koksharov · Nikita Koksharov · commit fe6a25718016 · 2023-06-01T10:08:05.000+03:00
diff --git a/redisson/src/main/java/org/redisson/codec/CustomObjectInputStream.java b/redisson/src/main/java/org/redisson/codec/CustomObjectInputStream.java
@@ -15,13 +15,11 @@
  */
 package org.redisson.codec;
 
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.ObjectInputStream;
-import java.io.ObjectStreamClass;
+import java.io.*;
 import java.lang.reflect.Proxy;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Set;
 
 /**
  * 
@@ -31,7 +29,14 @@
 public class CustomObjectInputStream extends ObjectInputStream {
 
     private final ClassLoader classLoader;
-    
+    private Set<String> allowedClasses;
+
+    public CustomObjectInputStream(ClassLoader classLoader, InputStream in,Set<String> allowedClasses) throws IOException {
+        super(in);
+        this.classLoader = classLoader;
+        this.allowedClasses = allowedClasses;
+    }
+
     public CustomObjectInputStream(ClassLoader classLoader, InputStream in) throws IOException {
         super(in);
         this.classLoader = classLoader;
@@ -41,6 +46,9 @@ public CustomObjectInputStream(ClassLoader classLoader, InputStream in) throws I
     protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
         try {
             String name = desc.getName();
+            if (allowedClasses != null && !allowedClasses.contains(name)) {
+                throw new InvalidClassException("Class " + name + " isn't allowed");
+            }
             return Class.forName(name, false, classLoader);
         } catch (ClassNotFoundException e) {
             return super.resolveClass(desc);
@@ -56,7 +64,7 @@ protected Class<?> resolveProxyClass(String[] interfaces) throws IOException, Cl
             loadedClasses.add(clazz);
         }
         
-        return Proxy.getProxyClass(classLoader, loadedClasses.toArray(new Class[loadedClasses.size()]));
+        return Proxy.getProxyClass(classLoader, loadedClasses.toArray(new Class[0]));
     }
     
 }
diff --git a/redisson/src/main/java/org/redisson/codec/SerializationCodec.java b/redisson/src/main/java/org/redisson/codec/SerializationCodec.java
@@ -15,19 +15,19 @@
  */
 package org.redisson.codec;
 
-import java.io.IOException;
-import java.io.ObjectInputStream;
-import java.io.ObjectOutputStream;
-
+import io.netty.buffer.ByteBuf;
+import io.netty.buffer.ByteBufAllocator;
+import io.netty.buffer.ByteBufInputStream;
+import io.netty.buffer.ByteBufOutputStream;
 import org.redisson.client.codec.BaseCodec;
 import org.redisson.client.handler.State;
 import org.redisson.client.protocol.Decoder;
 import org.redisson.client.protocol.Encoder;
 
-import io.netty.buffer.ByteBuf;
-import io.netty.buffer.ByteBufAllocator;
-import io.netty.buffer.ByteBufInputStream;
-import io.netty.buffer.ByteBufOutputStream;
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.util.Set;
 
 /**
  * JDK's serialization codec.
@@ -51,7 +51,7 @@ public Object decode(ByteBuf buf, State state) throws IOException {
                     ObjectInputStream inputStream;
                     if (classLoader != null) {
                         Thread.currentThread().setContextClassLoader(classLoader);
-                        inputStream = new CustomObjectInputStream(classLoader, in);
+                        inputStream = new CustomObjectInputStream(classLoader, in, allowedClasses);
                     } else {
                         inputStream = new ObjectInputStream(in);
                     }
@@ -84,7 +84,8 @@ public ByteBuf encode(Object in) throws IOException {
             }
         }
     };
-    
+
+    private Set<String> allowedClasses;
     private final ClassLoader classLoader;
 
     public SerializationCodec() {
@@ -97,6 +98,12 @@ public SerializationCodec(ClassLoader classLoader) {
 
     public SerializationCodec(ClassLoader classLoader, SerializationCodec codec) {
         this.classLoader = classLoader;
+        this.allowedClasses = codec.allowedClasses;
+    }
+
+    public SerializationCodec(ClassLoader classLoader, Set<String> allowedClasses) {
+        this.classLoader = classLoader;
+        this.allowedClasses = allowedClasses;
     }
     
     @Override
