Skip to content

♻️ rename APIs to be more clear and concise #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ryandens merged 2 commits into from
Sep 28, 2023
Merged

♻️ rename APIs to be more clear and concise #10

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e3a4167
:recycle: reanme APIs to be more clear and concise
ryandens Sep 28, 2023
da41f6b
:bulb: improve javadoc to clarify apache commons dependency
ryandens Sep 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 5 additions & 4 deletions ...ub/pixee/security/ObjectInputStreams.java → ...ecurity/ValidatingObjectInputStreams.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,18 +8,19 @@

/**
* This type exposes helper methods that will help defend against Java deserialization attacks
* leveraging {@link ObjectInputStream} APIs.
* leveraging {@link ObjectInputStream} APIs by wrapping it in an Apache Commons IO {@link ValidatingObjectInputStream}
* that is configued to reject types that are known to be leveraged in deserialization attacks
*
* <p>For more information on deserialization checkout the <a
* href="https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html">OWASP
* Cheat Sheet</a>.
*/
public final class ObjectInputStreams {
public final class ValidatingObjectInputStreams {

/**
* Private no-op constructor to prevent accidental initialization of this class
*/
private ObjectInputStreams() {}
private ValidatingObjectInputStreams() {}

/**
* This method returns a wrapped {@link ObjectInputStream} that protects against deserialization
Expand All @@ -29,7 +30,7 @@ private ObjectInputStreams() {}
* @return an {@link ObjectInputStream} which is safe against all publicly known gadgets
* @throws IOException if the underlying creation of {@link ObjectInputStream} fails
*/
public static ObjectInputStream createValidatingObjectInputStream(final InputStream ois)
public static ObjectInputStream from(final InputStream ois)
throws IOException {
final ValidatingObjectInputStream is = new ValidatingObjectInputStream(ois);
for (String gadget : UnwantedTypes.dangerousClassNameTokens()) {
Expand Down
4 changes: 2 additions & 2 deletions ...ixee/security/ObjectInputStreamsTest.java → ...ity/ValidatingObjectInputStreamsTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.fail;

final class ObjectInputStreamsTest {
final class ValidatingObjectInputStreamsTest {

private static DiskFileItem gadget; // this is an evil gadget type
private static byte[] serializedGadget; // this the serialized bytes of that gadget
Expand All @@ -41,7 +41,7 @@ static void setup() throws IOException {
@Test
void validating_ois_works() throws Exception {
ObjectInputStream ois =
ObjectInputStreams.createValidatingObjectInputStream(new ByteArrayInputStream(serializedGadget));
ValidatingObjectInputStreams.from(new ByteArrayInputStream(serializedGadget));
assertThrows(
InvalidClassException.class,
() -> {
Expand Down