Package com.atlassian.confluence.impl.cluster.hazelcast.interceptor.authenticator

Class ParanoidObjectDataInputStream

java.lang.Object
java.io.InputStream
com.hazelcast.internal.serialization.impl.ObjectDataInputStream
com.atlassian.confluence.impl.cluster.hazelcast.interceptor.authenticator.ParanoidObjectDataInputStream
All Implemented Interfaces:
com.hazelcast.internal.nio.DataReader, com.hazelcast.nio.ObjectDataInput, com.hazelcast.nio.VersionAware, com.hazelcast.nio.WanProtocolVersionAware, com.hazelcast.spi.impl.SerializationServiceSupport, Closeable, DataInput, AutoCloseable
public class ParanoidObjectDataInputStream extends com.hazelcast.internal.serialization.impl.ObjectDataInputStream
A subclass of Hazelcast's ObjectDataInputStream specifically for use during join checks which applies bounds to certain operations.

What this class overrides and what it doesn't is strongly influenced by what methods the join check implementations actually call. For example, any of the read*Array methods could also be used to try and instantiate arrays of unrealistic size and trigger OutOfMemoryErrors. However, the join checks never call those methods, so in practice there's no vulnerability there.

Since:
7.17.3

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    protected com.hazelcast.version.Version
    version
     
    protected com.hazelcast.version.Version
    wanProtocolVersion
     

  • Constructor Summary

    Constructors
    Constructor
    Description
    ParanoidObjectDataInputStream(InputStream in, com.hazelcast.internal.serialization.InternalSerializationService serializationService)
     

  • Method Summary

    Modifier and Type
    Method
    Description
    com.hazelcast.version.Version
    getVersion()
     
    com.hazelcast.version.Version
    getWanProtocolVersion()
     
    String
    readUTF()
    Overrides ObjectDataInputStream.readUTF() and applies a hard upper limit to the number of chars that can be read, to prevent malicious clients from triggering OutOfMemoryErrors
    void
    setVersion(com.hazelcast.version.Version arg0)
     
    void
    setWanProtocolVersion(com.hazelcast.version.Version arg0)
     

    Methods inherited from class com.hazelcast.internal.serialization.impl.ObjectDataInputStream

    available, close, getByteOrder, getClassLoader, getSerializationService, mark, markSupported, read, read, read, readBoolean, readBooleanArray, readByte, readByteArray, readChar, readCharArray, readData, readDataAsObject, readDouble, readDoubleArray, readFloat, readFloatArray, readFully, readFully, readInt, readIntArray, readLine, readLong, readLongArray, readObject, readObject, readShort, readShortArray, readString, readStringArray, readUnsignedByte, readUnsignedShort, readUTFArray, reset, skip, skipBytes

    Methods inherited from class java.io.InputStream

    nullInputStream, readAllBytes, readNBytes, readNBytes, skipNBytes, transferTo

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

    • version

      protected com.hazelcast.version.Version version

    • wanProtocolVersion

      protected com.hazelcast.version.Version wanProtocolVersion

  • Constructor Details

    • ParanoidObjectDataInputStream

      public ParanoidObjectDataInputStream(InputStream in, com.hazelcast.internal.serialization.InternalSerializationService serializationService)

  • Method Details

    • readUTF

      public String readUTF() throws IOException
      Overrides ObjectDataInputStream.readUTF() and applies a hard upper limit to the number of chars that can be read, to prevent malicious clients from triggering OutOfMemoryErrors
      Specified by:
      readUTF in interface DataInput
      Specified by:
      readUTF in interface com.hazelcast.nio.ObjectDataInput
      Overrides:
      readUTF in class com.hazelcast.internal.serialization.impl.ObjectDataInputStream
      Returns:
      the UTF string, or null if the requested length is -1
      Throws:
      IOException - if data cannot be read from the stream
      UTFDataFormatException - if the string length to read is excessively long

    • getWanProtocolVersion

      public com.hazelcast.version.Version getWanProtocolVersion()
      Specified by:
      getWanProtocolVersion in interface com.hazelcast.nio.WanProtocolVersionAware

    • setWanProtocolVersion

      public void setWanProtocolVersion(com.hazelcast.version.Version arg0)
      Specified by:
      setWanProtocolVersion in interface com.hazelcast.nio.WanProtocolVersionAware

    • getVersion

      public com.hazelcast.version.Version getVersion()
      Specified by:
      getVersion in interface com.hazelcast.nio.VersionAware

    • setVersion

      public void setVersion(com.hazelcast.version.Version arg0)
      Specified by:
      setVersion in interface com.hazelcast.nio.VersionAware