ValidateObjectInputStream (hutool 5.8.32 API)

Skip navigation links

Prev Class
Next Class

All Classes

Summary:
Nested |
Field |
Constr |
Method

Detail:
Field |
Constr |
Method

java.lang.Object
- java.io.InputStream
- - java.io.ObjectInputStream
  - - cn.hutool.core.io.ValidateObjectInputStream

All Implemented Interfaces:

Closeable, DataInput, ObjectInput, ObjectStreamConstants, AutoCloseable
```
public class ValidateObjectInputStream
extends ObjectInputStream
```
带有类验证的对象流，用于避免反序列化漏洞
详细见：https://xz.aliyun.com/t/41/

Since:

5.2.6

Author:

looly

Nested Class Summary
- Nested classes/interfaces inherited from class java.io.ObjectInputStream
  ObjectInputStream.GetField

Field Summary
- Fields inherited from interface java.io.ObjectStreamConstants
  baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING

Constructor Summary

Constructors
Constructor and Description

ValidateObjectInputStream(InputStream inputStream, Class<?>... acceptClasses)
构造

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`void`	`accept(Class<?>... acceptClasses)` 接受反序列化的类，用于反序列化验证
`void`	`refuse(Class<?>... refuseClasses)` 禁止反序列化的类，用于反序列化验证
`protected Class<?>`	`resolveClass(ObjectStreamClass desc)` 只允许反序列化SerialObject class

Methods inherited from class java.io.ObjectInputStream
available, close, defaultReadObject, enableResolveObject, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, skipBytes

Methods inherited from class java.io.InputStream
mark, markSupported, read, reset, skip

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface java.io.ObjectInput
read, skip

- Constructor Detail
  - ValidateObjectInputStream
```
public ValidateObjectInputStream(InputStream inputStream,
                                 Class<?>... acceptClasses)
                          throws IOException
```
    构造
    
    Parameters:
    
    inputStream - 流
    
    acceptClasses - 白名单的类
    
    Throws:
    
    IOException - IO异常
- Method Detail
  - refuse
```
public void refuse(Class<?>... refuseClasses)
```
    禁止反序列化的类，用于反序列化验证
    
    Parameters:
    
    refuseClasses - 禁止反序列化的类
    
    Since:
    
    5.3.5
  - accept
```
public void accept(Class<?>... acceptClasses)
```
    接受反序列化的类，用于反序列化验证
    
    Parameters:
    
    acceptClasses - 接受反序列化的类
  - resolveClass
```
protected Class<?> resolveClass(ObjectStreamClass desc)
                         throws IOException,
                                ClassNotFoundException
```
    只允许反序列化SerialObject class
    
    Overrides:
    
    resolveClass in class ObjectInputStream
    
    Throws:
    
    IOException
    
    ClassNotFoundException

Skip navigation links

Prev Class
Next Class

All Classes

Summary:
Nested |
Field |
Constr |
Method

Detail:
Field |
Constr |
Method

Copyright © 2024. All rights reserved.