diff options
| author | miozune <miozune@gmail.com> | 2023-07-25 22:40:45 +0900 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-07-25 22:40:45 +0900 |
| commit | 685934fe140a471ce947a7f01b0003df290aee4f (patch) | |
| tree | e2089ca8bf701724313cfcff35934ac34eff7ead /src/main | |
| parent | 27c8086cebe08b0ab6793bfdf9069d73411699cf (diff) | |
| download | GT5-Unofficial-685934fe140a471ce947a7f01b0003df290aee4f.tar.gz GT5-Unofficial-685934fe140a471ce947a7f01b0003df290aee4f.tar.bz2 GT5-Unofficial-685934fe140a471ce947a7f01b0003df290aee4f.zip | |
Validate ObjectInputStream (#235)
Diffstat (limited to 'src/main')
| -rw-r--r-- | src/main/java/com/github/technus/tectech/mechanics/spark/RendererMessage.java | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/src/main/java/com/github/technus/tectech/mechanics/spark/RendererMessage.java b/src/main/java/com/github/technus/tectech/mechanics/spark/RendererMessage.java index b4271fcacf..1505e41470 100644 --- a/src/main/java/com/github/technus/tectech/mechanics/spark/RendererMessage.java +++ b/src/main/java/com/github/technus/tectech/mechanics/spark/RendererMessage.java @@ -8,6 +8,7 @@ import java.io.IOException; import java.io.InputStream; import java.io.ObjectInputStream; import java.io.ObjectOutputStream; +import java.io.ObjectStreamClass; import java.util.Arrays; import java.util.HashSet; import java.util.Random; @@ -16,6 +17,11 @@ import net.minecraft.client.Minecraft; import net.minecraft.entity.player.EntityPlayer; import net.minecraft.world.World; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; +import org.apache.logging.log4j.Marker; +import org.apache.logging.log4j.MarkerManager; + import cpw.mods.fml.common.FMLCommonHandler; import cpw.mods.fml.common.network.simpleimpl.IMessage; import cpw.mods.fml.common.network.simpleimpl.MessageContext; @@ -41,7 +47,7 @@ public class RendererMessage implements IMessage { byte[] boop = pBuffer.array(); boop = Arrays.copyOfRange(boop, 1, boop.length); InputStream is = new ByteArrayInputStream(boop); - ObjectInputStream ois = new ObjectInputStream(is); + ObjectInputStream ois = new ValidatingObjectInputStream(is); Object data = ois.readObject(); sparkList = (HashSet<ThaumSpark>) data; } catch (IOException | ClassNotFoundException ignored) {} @@ -117,4 +123,25 @@ public class RendererMessage implements IMessage { } } } + + private static class ValidatingObjectInputStream extends ObjectInputStream { + + private static final Logger logger = LogManager.getLogger(); + private static final Marker securityMarker = MarkerManager.getMarker("SuspiciousPackets"); + + private ValidatingObjectInputStream(InputStream in) throws IOException { + super(in); + } + + @Override + protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException { + String name = desc.getName(); + if (!name.equals("java.util.HashSet") + && !name.equals("com.github.technus.tectech.mechanics.spark.ThaumSpark")) { + logger.warn(securityMarker, "Received packet containing disallowed class: " + name); + throw new RuntimeException(); + } + return super.resolveClass(desc); + } + } } |