xref: /OpenGrok/opengrok-indexer/src/main/java/org/opengrok/indexer/history/HistoryClassLoader.java (revision 435ba9ce3d231cd64a97794067e85cd3313085d2) 
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * See LICENSE.txt included in this distribution for the specific
9  * language governing permissions and limitations under the License.
10  *
11  * When distributing Covered Code, include this CDDL HEADER in each
12  * file and include the License file at LICENSE.txt.
13  * If applicable, add the following below this CDDL HEADER, with the
14  * fields enclosed by brackets "[]" replaced with your own identifying
15  * information: Portions Copyright [yyyy] [name of copyright owner]
16  *
17  * CDDL HEADER END
18  */
19 
20 /*
21  * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.
22  */
23 package org.opengrok.indexer.history;
24 
25 import java.beans.XMLDecoder;
26 import java.util.ArrayList;
27 import java.util.Collections;
28 import java.util.Date;
29 import java.util.HashMap;
30 import java.util.Set;
31 import java.util.TreeSet;
32 import java.util.stream.Collectors;
33 
34 /**
35  * Temporary hack to prevent {@link XMLDecoder} to deserialize other than allowed classes. This tries to prevent
36  * calling of methods on {@link ProcessBuilder} or {@link Runtime} (or similar) which could be used for code execution.
37  */
38 public class HistoryClassLoader extends ClassLoader {
39 
40     private static final Set<String> allowedClasses = Set.of(
41             ArrayList.class,
42             Collections.class,
43             Date.class,
44             HashMap.class,
45             History.class,
46             HistoryEntry.class,
47             RepositoryInfo.class,
48             String.class,
49             TreeSet.class,
50             XMLDecoder.class
51     ).stream().map(Class::getName).collect(Collectors.toSet());
52 
53     @Override
loadClass(final String name)54     public Class<?> loadClass(final String name) throws ClassNotFoundException {
55         if (!allowedClasses.contains(name)) {
56             throw new IllegalAccessError(name + " is not allowed to be used in History object");
57         }
58 
59         return getClass().getClassLoader().loadClass(name);
60     }
61 }