Package com.atlassian.confluence.impl.backuprestore.restore.stash

Class StashObjectInputStream

java.lang.Object

java.io.InputStream

java.io.ObjectInputStream

com.atlassian.confluence.impl.backuprestore.restore.stash.StashObjectInputStream

All Implemented Interfaces:

Closeable, DataInput, ObjectInput, ObjectStreamConstants, AutoCloseable

public class StashObjectInputStream
extends ObjectInputStream

This class extends the ObjectInputStream class and overrides the resolveClass method. It is used to deserialize objects of specific allowed classes only. Unauthorized deserialization attempts will throw an InvalidClassException.

Nested Class Summary

Nested classes/interfaces inherited from class java.io.ObjectInputStream

ObjectInputStream.GetField

Field Summary

Fields inherited from interface java.io.ObjectStreamConstants

baseWireHandle, PROTOCOL_VERSION_1, PROTOCOL_VERSION_2, SC_BLOCK_DATA, SC_ENUM, SC_EXTERNALIZABLE, SC_SERIALIZABLE, SC_WRITE_METHOD, SERIAL_FILTER_PERMISSION, STREAM_MAGIC, STREAM_VERSION, SUBCLASS_IMPLEMENTATION_PERMISSION, SUBSTITUTION_PERMISSION, TC_ARRAY, TC_BASE, TC_BLOCKDATA, TC_BLOCKDATALONG, TC_CLASS, TC_CLASSDESC, TC_ENDBLOCKDATA, TC_ENUM, TC_EXCEPTION, TC_LONGSTRING, TC_MAX, TC_NULL, TC_OBJECT, TC_PROXYCLASSDESC, TC_REFERENCE, TC_RESET, TC_STRING

Constructor Summary

Constructors

Constructor	Description
StashObjectInputStream(InputStream in, HibernateMetadataHelper hibernateMetadataHelper, Set<Class<?>> allowedClasses)	Constructs a new StashObjectInputStream with the specified input stream, HibernateMetadataHelper, allowed classes, and a flag indicating whether the deserialization allowlist is enabled.

Method Summary

Modifier and Type	Method	Description
protected Class<?>	resolveClass(ObjectStreamClass desc)	Resolves the class for the provided ObjectStreamClass descriptor.

Methods inherited from class java.io.ObjectInputStream

available, close, defaultReadObject, enableResolveObject, getObjectInputFilter, read, read, readBoolean, readByte, readChar, readClassDescriptor, readDouble, readFields, readFloat, readFully, readFully, readInt, readLine, readLong, readObject, readObjectOverride, readShort, readStreamHeader, readUnshared, readUnsignedByte, readUnsignedShort, readUTF, registerValidation, resolveObject, resolveProxyClass, setObjectInputFilter, skipBytes

Methods inherited from class java.io.InputStream

mark, markSupported, nullInputStream, read, readAllBytes, readNBytes, readNBytes, reset, skip, skipNBytes, transferTo

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface java.io.ObjectInput

read, skip

Constructor Details

StashObjectInputStream

public StashObjectInputStream(InputStream in,
 HibernateMetadataHelper hibernateMetadataHelper,
 Set<Class<?>> allowedClasses)
                       throws IOException

Constructs a new StashObjectInputStream with the specified input stream, HibernateMetadataHelper, allowed classes, and a flag indicating whether the deserialization allowlist is enabled.

Parameters:

in - The InputStream from which to read the serialized object.

hibernateMetadataHelper - The HibernateMetadataHelper instance used to get all exportable entities by class.

allowedClasses - The set of classes that are allowed to be deserialized.

Throws:

IOException - If an I/O error occurs while reading stream header.

Method Details

resolveClass

protected Class<?> resolveClass(ObjectStreamClass desc)
                         throws IOException,
ClassNotFoundException

Resolves the class for the provided ObjectStreamClass descriptor. Only classes that are in the ALLOWED_CLASSES set are allowed to be deserialized.

Overrides:

resolveClass in class ObjectInputStream

Parameters:

desc - An instance of ObjectStreamClass.

Returns:

The Class object for the class with the specified name.

Throws:

IOException - If an I/O error occurs while reading class descriptor.

ClassNotFoundException - If class of a serialized object cannot be found.