• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

oracle / opengrok / #3731

30 Nov 2023 04:39PM CUT coverage: 66.148% (-8.7%) from 74.811%
#3731

push

vladak
update Tomcat to 10.1.16

fixes #4492

38758 of 58593 relevant lines covered (66.15%)

0.66 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0
/opengrok-indexer/src/main/java/org/opengrok/indexer/history/AnnotationDataClassLoader.java
1
/*
2
 * CDDL HEADER START
3
 *
4
 * The contents of this file are subject to the terms of the
5
 * Common Development and Distribution License (the "License").
6
 * You may not use this file except in compliance with the License.
7
 *
8
 * See LICENSE.txt included in this distribution for the specific
9
 * language governing permissions and limitations under the License.
10
 *
11
 * When distributing Covered Code, include this CDDL HEADER in each
12
 * file and include the License file at LICENSE.txt.
13
 * If applicable, add the following below this CDDL HEADER, with the
14
 * fields enclosed by brackets "[]" replaced with your own identifying
15
 * information: Portions Copyright [yyyy] [name of copyright owner]
16
 *
17
 * CDDL HEADER END
18
 */
19

20
/*
21
 * Copyright (c) 2021, 2022, Oracle and/or its affiliates. All rights reserved.
22
 */
23
package org.opengrok.indexer.history;
24

25
import java.beans.XMLDecoder;
26
import java.util.ArrayList;
27
import java.util.Collections;
28
import java.util.Set;
29
import java.util.stream.Collectors;
30

31
/**
32
 * Temporary hack to prevent {@link XMLDecoder} to deserialize other than allowed classes. This tries to prevent
33
 * calling of methods on {@link ProcessBuilder} or {@link Runtime} (or similar) which could be used for code execution.
34
 */
35
public class AnnotationDataClassLoader extends ClassLoader {
×
36
    private static final Set<String> allowedClasses = Set.of(
×
37
            ArrayList.class,
38
            Collections.class,
39
            AnnotationData.class,
40
            AnnotationLine.class,
41
            String.class,
42
            XMLDecoder.class
43
    ).stream().map(java.lang.Class::getName).collect(Collectors.toSet());
×
44

45
    @Override
46
    public Class<?> loadClass(final String name) throws ClassNotFoundException {
47
        if (!allowedClasses.contains(name)) {
×
48
            throw new IllegalAccessError(name + " is not allowed to be used in AnnotationData object");
×
49
        }
50

51
        return getClass().getClassLoader().loadClass(name);
×
52
    }
53

54
}
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2025 Coveralls, Inc