2424import java .io .ObjectOutput ;
2525import java .io .ObjectOutputStream ;
2626import java .io .Serializable ;
27+ import java .util .Collection ;
28+ import java .util .Collections ;
2729import org .apache .logging .log4j .test .internal .annotation .SuppressFBWarnings ;
2830import org .apache .logging .log4j .util .Constants ;
2931import org .apache .logging .log4j .util .FilteredObjectInputStream ;
@@ -68,11 +70,25 @@ public static byte[] serialize(final Serializable... objs) {
6870 * @param data byte array representing the serialized object
6971 * @return the deserialized object
7072 */
71- @ SuppressWarnings ("unchecked" )
7273 @ SuppressFBWarnings ("OBJECT_DESERIALIZATION" )
7374 public static <T > T deserialize (final byte [] data ) {
75+ return deserialize (data , Collections .emptySet ());
76+ }
77+
78+ /**
79+ * Deserialize an object from the specified byte array using a {@link FilteredObjectInputStream}
80+ * extended with the supplied allow-list (Java 8 only — Java 9+ uses the JVM's serialization
81+ * filter, so the allow-list is ignored).
82+ * @param data byte array representing the serialized object
83+ * @param allowedExtraClasses fully-qualified class names to add to {@link
84+ * FilteredObjectInputStream}'s default allow-list on Java 8
85+ * @return the deserialized object
86+ */
87+ @ SuppressWarnings ("unchecked" )
88+ @ SuppressFBWarnings ("OBJECT_DESERIALIZATION" )
89+ public static <T > T deserialize (final byte [] data , final Collection <String > allowedExtraClasses ) {
7490 try {
75- final ObjectInputStream ois = getObjectInputStream (data );
91+ final ObjectInputStream ois = getObjectInputStream (data , allowedExtraClasses );
7692 return (T ) ois .readObject ();
7793 } catch (final Exception ex ) {
7894 throw new IllegalStateException ("Could not deserialize" , ex );
@@ -86,8 +102,18 @@ public static <T> T deserialize(final byte[] data) {
86102 */
87103 @ SuppressFBWarnings ("OBJECT_DESERIALIZATION" )
88104 public static ObjectInputStream getObjectInputStream (final byte [] data ) throws IOException {
105+ return getObjectInputStream (data , Collections .emptySet ());
106+ }
107+
108+ /**
109+ * Creates an {@link ObjectInputStream} adapted to the current Java version, extended with the
110+ * supplied allow-list on Java 8.
111+ */
112+ @ SuppressFBWarnings ("OBJECT_DESERIALIZATION" )
113+ public static ObjectInputStream getObjectInputStream (
114+ final byte [] data , final Collection <String > allowedExtraClasses ) throws IOException {
89115 final ByteArrayInputStream bas = new ByteArrayInputStream (data );
90- return getObjectInputStream (bas );
116+ return getObjectInputStream (bas , allowedExtraClasses );
91117 }
92118
93119 /**
@@ -97,8 +123,18 @@ public static ObjectInputStream getObjectInputStream(final byte[] data) throws I
97123 */
98124 @ SuppressFBWarnings ("OBJECT_DESERIALIZATION" )
99125 public static ObjectInputStream getObjectInputStream (final InputStream stream ) throws IOException {
126+ return getObjectInputStream (stream , Collections .emptySet ());
127+ }
128+
129+ /**
130+ * Creates an {@link ObjectInputStream} adapted to the current Java version, extended with the
131+ * supplied allow-list on Java 8.
132+ */
133+ @ SuppressFBWarnings ("OBJECT_DESERIALIZATION" )
134+ public static ObjectInputStream getObjectInputStream (
135+ final InputStream stream , final Collection <String > allowedExtraClasses ) throws IOException {
100136 return Constants .JAVA_MAJOR_VERSION == 8
101- ? new FilteredObjectInputStream (stream )
137+ ? new FilteredObjectInputStream (stream , allowedExtraClasses )
102138 : new ObjectInputStream (stream );
103139 }
104140}
0 commit comments