refactoring
Nikita
7 years ago
parent
8ea5a5d1c8
commit
c169193bc6
@ -1,75 +0,0 @@
|
||||
/**
|
||||
* Copyright 2018 Nikita Koksharov
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.redisson.codec;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
|
||||
import com.fasterxml.jackson.databind.BeanDescription;
|
||||
import com.fasterxml.jackson.databind.DeserializationConfig;
|
||||
import com.fasterxml.jackson.databind.deser.ValueInstantiator;
|
||||
import com.fasterxml.jackson.databind.deser.ValueInstantiators.Base;
|
||||
import com.fasterxml.jackson.databind.module.SimpleModule;
|
||||
|
||||
/**
|
||||
* Fix for https://github.com/FasterXML/jackson-databind/issues/1599
|
||||
*
|
||||
* @author Nikita Koksharov
|
||||
*
|
||||
* TODO remove after update to latest version of Jackson
|
||||
*
|
||||
*/
|
||||
public class DefenceModule extends SimpleModule {
|
||||
|
||||
private static final long serialVersionUID = -429891510707420220L;
|
||||
|
||||
public static class DefenceValueInstantiator extends Base {
|
||||
|
||||
protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
|
||||
static {
|
||||
Set<String> s = new HashSet<String>();
|
||||
// Courtesy of [https://github.com/kantega/notsoserial]:
|
||||
// (and wrt [databind#1599]
|
||||
s.add("org.apache.commons.collections.functors.InvokerTransformer");
|
||||
s.add("org.apache.commons.collections.functors.InstantiateTransformer");
|
||||
s.add("org.apache.commons.collections4.functors.InvokerTransformer");
|
||||
s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
|
||||
s.add("org.codehaus.groovy.runtime.ConvertedClosure");
|
||||
s.add("org.codehaus.groovy.runtime.MethodClosure");
|
||||
s.add("org.springframework.beans.factory.ObjectFactory");
|
||||
s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
|
||||
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
|
||||
}
|
||||
|
||||
@Override
|
||||
public ValueInstantiator findValueInstantiator(DeserializationConfig config, BeanDescription beanDesc,
|
||||
ValueInstantiator defaultInstantiator) {
|
||||
if (DEFAULT_NO_DESER_CLASS_NAMES.contains(beanDesc.getClassInfo().getRawType().getName())) {
|
||||
throw new IllegalArgumentException("Illegal type " + beanDesc.getClassInfo().getRawType().getName() + " to deserialize: prevented for security reasons");
|
||||
}
|
||||
|
||||
return super.findValueInstantiator(config, beanDesc, defaultInstantiator);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@Override
|
||||
public void setupModule(SetupContext context) {
|
||||
context.addValueInstantiators(new DefenceValueInstantiator());
|
||||
}
|
||||
|
||||
}
|
||||
Loading…
Reference in New Issue