1 /** 2 * This file Copyright (c) 2017-2018 Magnolia International 3 * Ltd. (http://www.magnolia-cms.com). All rights reserved. 4 * 5 * 6 * This file is dual-licensed under both the Magnolia 7 * Network Agreement and the GNU General Public License. 8 * You may elect to use one or the other of these licenses. 9 * 10 * This file is distributed in the hope that it will be 11 * useful, but AS-IS and WITHOUT ANY WARRANTY; without even the 12 * implied warranty of MERCHANTABILITY or FITNESS FOR A 13 * PARTICULAR PURPOSE, TITLE, or NONINFRINGEMENT. 14 * Redistribution, except as permitted by whichever of the GPL 15 * or MNA you select, is prohibited. 16 * 17 * 1. For the GPL license (GPL), you can redistribute and/or 18 * modify this file under the terms of the GNU General 19 * Public License, Version 3, as published by the Free Software 20 * Foundation. You should have received a copy of the GNU 21 * General Public License, Version 3 along with this program; 22 * if not, write to the Free Software Foundation, Inc., 51 23 * Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 24 * 25 * 2. For the Magnolia Network Agreement (MNA), this file 26 * and the accompanying materials are made available under the 27 * terms of the MNA which accompanies this distribution, and 28 * is available at http://www.magnolia-cms.com/mna.html 29 * 30 * Any modifications to this file must keep this entire header 31 * intact. 32 * 33 */ 34 package info.magnolia.cache.browser.rest.endpoint; 35 36 import java.util.Collection; 37 38 import org.apache.commons.lang3.StringUtils; 39 import org.slf4j.Logger; 40 import org.slf4j.LoggerFactory; 41 42 import com.google.common.collect.ImmutableSet; 43 import com.google.common.collect.Lists; 44 45 /** 46 * Responsible to load classes which are whitelisted in the given {@link #whitelistedClasses whitelisted classes}. 47 * <p> 48 * Main usage is to handle potential security vulnerabilities in 49 * {@link info.magnolia.cache.browser.rest.endpoint.CacheEndpoint cache REST endpoint} by being passed to 50 * {@link com.cedarsoftware.util.io.JsonReader#jsonToJava(String, java.util.Map)} in the {@code Map}. That way we prevent 51 * deserialisation of malicious classes and thus execution of malicious code. 52 * </p> 53 */ 54 public final class WhitelistAwareClassLoader extends ClassLoader { 55 56 private static final Logger log = LoggerFactory.getLogger(WhitelistAwareClassLoader.class); 57 private static final Collection<String> DEFAULT_WHITELISTED_PACKAGES = Lists.newArrayList("java.", "javax."); 58 59 private final CharSequence[] whitelistedClasses; 60 61 public WhitelistAwareClassLoader(ClassLoader parent, Collection<String> whitelistedClasses) { 62 super(parent); 63 this.whitelistedClasses = ImmutableSet.builder() 64 .addAll(DEFAULT_WHITELISTED_PACKAGES) 65 .addAll(whitelistedClasses) 66 .build() 67 .toArray(new CharSequence[whitelistedClasses.size() + DEFAULT_WHITELISTED_PACKAGES.size()]); 68 } 69 70 @Override 71 public Class<?> loadClass(final String className) throws ClassNotFoundException { 72 if (!StringUtils.startsWithAny(className, whitelistedClasses)) { 73 log.info("Serialisation is blocked due to the given class: '{}' is not whitelisted and currently whitelisted classes are: '{}'", className, whitelistedClasses); 74 throw new RuntimeException("Serialisation is blocked due to given class: '" + className + "' is not being whitelisted."); 75 } 76 77 return getParent().loadClass(className); 78 } 79 }