-
Notifications
You must be signed in to change notification settings - Fork 778
/
Copy pathPluginConfigurationClassLoader.java
58 lines (51 loc) · 2 KB
/
PluginConfigurationClassLoader.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* See LICENSE.txt included in this distribution for the specific
* language governing permissions and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at LICENSE.txt.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.
*/
package opengrok.auth.plugin.configuration;
import opengrok.auth.plugin.ldap.LdapServer;
import opengrok.auth.plugin.util.WebHook;
import opengrok.auth.plugin.util.WebHooks;
import java.beans.XMLDecoder;
import java.util.Collections;
import java.util.Set;
import java.util.stream.Collectors;
/**
* Temporary hack to prevent {@link XMLDecoder} to deserialize other than allowed classes. This tries to prevent
* calling of methods on {@link ProcessBuilder} or {@link Runtime} (or similar) which could be used for code execution.
*/
public class PluginConfigurationClassLoader extends ClassLoader {
private static final Set<String> allowedClasses = Set.of(
Collections.class,
Configuration.class,
LdapServer.class,
String.class,
WebHook.class,
WebHooks.class,
XMLDecoder.class
).stream().map(Class::getName).collect(Collectors.toSet());
@Override
public Class<?> loadClass(final String name) throws ClassNotFoundException {
if (!allowedClasses.contains(name)) {
throw new IllegalAccessError(name + " is not allowed to be used in configuration");
}
return getClass().getClassLoader().loadClass(name);
}
}