Package com.atlassian.confluence.impl.cluster.nutcluster.interceptor.authenticator

Class ParanoidObjectDataInputStream

java.lang.Object

java.io.InputStream

com.atlassian.nutcluster.internal.serialization.impl.ObjectDataInputStream

com.atlassian.confluence.impl.cluster.nutcluster.interceptor.authenticator.ParanoidObjectDataInputStream

All Implemented Interfaces:

com.atlassian.nutcluster.nio.ObjectDataInput, com.atlassian.nutcluster.nio.VersionAware, Closeable, DataInput, AutoCloseable

public class ParanoidObjectDataInputStream
extends com.atlassian.nutcluster.internal.serialization.impl.ObjectDataInputStream

A subclass of Nutcluster's ObjectDataInputStream specifically for use during join checks which applies bounds to certain operations.

What this class overrides and what it doesn't is strongly influenced by what methods the join check implementations actually call. For example, any of the read*Array methods could also be used to try and instantiate arrays of unrealistic size and trigger OutOfMemoryErrors. However, the join checks never call those methods, so in practice there's no vulnerability there.

Since:

7.17.3

Field Summary

Fields

Modifier and Type	Field	Description
protected com.atlassian.nutcluster.version.Version	version

Constructor Summary

Constructors

Constructor	Description
ParanoidObjectDataInputStream(InputStream in, com.atlassian.nutcluster.internal.serialization.InternalSerializationService serializationService)

Method Summary

Modifier and Type	Method	Description
com.atlassian.nutcluster.version.Version	getVersion()
String	readUTF()	Overrides ObjectDataInputStream.readUTF() and applies a hard upper limit to the number of chars that can be read, to prevent malicious clients from triggering OutOfMemoryErrors
void	setVersion(com.atlassian.nutcluster.version.Version arg0)

Methods inherited from class com.atlassian.nutcluster.internal.serialization.impl.ObjectDataInputStream

available, close, getByteOrder, getClassLoader, getSerializationService, mark, markSupported, read, read, read, readBoolean, readBooleanArray, readByte, readByteArray, readChar, readCharArray, readData, readDataAsObject, readDouble, readDoubleArray, readFloat, readFloatArray, readFully, readFully, readInt, readIntArray, readLine, readLong, readLongArray, readObject, readObject, readShort, readShortArray, readUnsignedByte, readUnsignedShort, readUTFArray, reset, skip, skipBytes

Methods inherited from class java.io.InputStream

nullInputStream, readAllBytes, readNBytes, readNBytes, skipNBytes, transferTo

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

version

protected com.atlassian.nutcluster.version.Version version

Constructor Details

ParanoidObjectDataInputStream

public ParanoidObjectDataInputStream(InputStream in,
 com.atlassian.nutcluster.internal.serialization.InternalSerializationService serializationService)

Method Details

readUTF

public String readUTF()
               throws IOException

Overrides ObjectDataInputStream.readUTF() and applies a hard upper limit to the number of chars that can be read, to prevent malicious clients from triggering OutOfMemoryErrors

Specified by:

readUTF in interface DataInput

Overrides:

readUTF in class com.atlassian.nutcluster.internal.serialization.impl.ObjectDataInputStream

Returns:

the UTF string, or null if the requested length is -1

Throws:

IOException - if data cannot be read from the stream

UTFDataFormatException - if the string length to read is excessively long

setVersion

public void setVersion(com.atlassian.nutcluster.version.Version arg0)

getVersion

public com.atlassian.nutcluster.version.Version getVersion()

Specified by:

getVersion in interface com.atlassian.nutcluster.nio.VersionAware