ParanoidObjectDataInputStream (Atlassian Confluence 7.17.5 API)

Skip navigation links

All Classes

Summary:
Nested |
Field |
Constr |
Method

Detail:
Field |
Constr |
Method

java.lang.Object
- java.io.InputStream
- - com.hazelcast.internal.serialization.impl.ObjectDataInputStream
  - - com.atlassian.confluence.impl.cluster.hazelcast.interceptor.authenticator.ParanoidObjectDataInputStream

All Implemented Interfaces:

com.hazelcast.nio.ObjectDataInput, com.hazelcast.nio.VersionAware, Closeable, DataInput, AutoCloseable
```
public class ParanoidObjectDataInputStream
extends com.hazelcast.internal.serialization.impl.ObjectDataInputStream
```
A subclass of Hazelcast's ObjectDataInputStream specifically for use during join checks which applies bounds to certain operations.
What this class overrides and what it doesn't is strongly influenced by what methods the join check implementations actually call. For example, any of the read*Array methods could also be used to try and instantiate arrays of unrealistic size and trigger OutOfMemoryErrors. However, the join checks never call those methods, so in practice there's no vulnerability there.

Since:

7.17.3

Field Summary

Fields
Modifier and Type Field and Description

protected com.hazelcast.version.Version version

Constructor Summary

Constructors
Constructor and Description
`ParanoidObjectDataInputStream(InputStream in, com.hazelcast.internal.serialization.InternalSerializationService serializationService)`

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`String`	`readUTF()` Overrides `ObjectDataInputStream.readUTF()` and applies a hard upper limit to the number of chars that can be read, to prevent malicious clients from triggering `OutOfMemoryError`s

Methods inherited from class com.hazelcast.internal.serialization.impl.ObjectDataInputStream
available, close, getByteOrder, getClassLoader, getSerializationService, mark, markSupported, read, read, read, readBoolean, readBooleanArray, readByte, readByteArray, readChar, readCharArray, readData, readDataAsObject, readDouble, readDoubleArray, readFloat, readFloatArray, readFully, readFully, readInt, readIntArray, readLine, readLong, readLongArray, readObject, readObject, readShort, readShortArray, readUnsignedByte, readUnsignedShort, readUTFArray, reset, skip, skipBytes

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - version
```
protected com.hazelcast.version.Version version
```
- Constructor Detail
  - ParanoidObjectDataInputStream
```
public ParanoidObjectDataInputStream(InputStream in,
                                     com.hazelcast.internal.serialization.InternalSerializationService serializationService)
```
- Method Detail
  - readUTF
```
public String readUTF()
               throws IOException
```
    Overrides ObjectDataInputStream.readUTF() and applies a hard upper limit to the number of chars that can be read, to prevent malicious clients from triggering OutOfMemoryErrors
    
    Specified by:
    
    readUTF in interface DataInput
    
    Overrides:
    
    readUTF in class com.hazelcast.internal.serialization.impl.ObjectDataInputStream
    
    Returns:
    
    the UTF string, or null if the requested length is -1
    
    Throws:
    
    IOException - if data cannot be read from the stream
    
    UTFDataFormatException - if the string length to read is excessively long

Skip navigation links

All Classes

Summary:
Nested |
Field |
Constr |
Method

Detail:
Field |
Constr |
Method

Copyright © 2003–2022 Atlassian. All rights reserved.