xref: /OpenGrok/plugins/src/main/java/opengrok/auth/plugin/configuration/PluginConfigurationClassLoader.java (revision 326fbf49304bf2b329e16a0153267e6850ec3d8b) 
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * See LICENSE.txt included in this distribution for the specific
9  * language governing permissions and limitations under the License.
10  *
11  * When distributing Covered Code, include this CDDL HEADER in each
12  * file and include the License file at LICENSE.txt.
13  * If applicable, add the following below this CDDL HEADER, with the
14  * fields enclosed by brackets "[]" replaced with your own identifying
15  * information: Portions Copyright [yyyy] [name of copyright owner]
16  *
17  * CDDL HEADER END
18  */
19 
20 /*
21  * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.
22  */
23 package opengrok.auth.plugin.configuration;
24 
25 import opengrok.auth.plugin.ldap.LdapServer;
26 import opengrok.auth.plugin.util.WebHook;
27 import opengrok.auth.plugin.util.WebHooks;
28 
29 import java.beans.XMLDecoder;
30 import java.util.Collections;
31 import java.util.Set;
32 import java.util.stream.Collectors;
33 
34 /**
35  * Temporary hack to prevent {@link XMLDecoder} to deserialize other than allowed classes. This tries to prevent
36  * calling of methods on {@link ProcessBuilder} or {@link Runtime} (or similar) which could be used for code execution.
37  */
38 public class PluginConfigurationClassLoader extends ClassLoader {
39 
40     private static final Set<String> allowedClasses = Set.of(
41             Collections.class,
42             Configuration.class,
43             LdapServer.class,
44             String.class,
45             WebHook.class,
46             WebHooks.class,
47             XMLDecoder.class
48     ).stream().map(Class::getName).collect(Collectors.toSet());
49 
50     @Override
loadClass(final String name)51     public Class<?> loadClass(final String name) throws ClassNotFoundException {
52         if (!allowedClasses.contains(name)) {
53             throw new IllegalAccessError(name + " is not allowed to be used in configuration");
54         }
55 
56         return getClass().getClassLoader().loadClass(name);
57     }
58 }
59