Class AgentStateDeserializationFilter

java.lang.Object
org.snmp4j.agent.io.AgentStateDeserializationFilter
All Implemented Interfaces:
ObjectInputFilter

public final class AgentStateDeserializationFilter extends Object implements ObjectInputFilter
The AgentStateDeserializationFilter is a strict ObjectInputFilter that protects the deserialization of persistent agent state (as read by DefaultMOInput) against Java deserialization attacks. It allows only the exact set of classes that DefaultMOOutput serializes (and the transitive field types of those classes) to be deserialized and rejects every other class. In addition, it bounds the depth of the object graph as well as array length, the number of object references and the number of stream bytes per object graph as a denial-of-service backstop.

The allowed classes are matched by exact identity, i.e., registering a non-final class does not implicitly allow its subclasses. Custom Variable or Context subclasses that are not part of the default allowlist have to be registered explicitly through AgentStateDeserializationFilter(Collection).

This filter only uses Java 9 serialization filter API.

Since:
3.12.0
Version:
3.12.0
Author:
Frank Fock
  • Field Details

    • MAX_DEPTH

      public static final long MAX_DEPTH
      Maximum allowed depth of the deserialized object graph. The deepest legitimate graph written by DefaultMOOutput is about five levels deep (IndexedVariables -> Variable[] -> IpAddress -> InetAddress -> byte[]); the limit adds headroom while still rejecting deeply nested gadget chains.
      See Also:
    • MAX_ARRAY

      public static final long MAX_ARRAY
      Maximum allowed array length. Set generously: legitimate arrays (table column values, OID sub-identifiers, IP address bytes) are tiny, but a stored binary OctetString blob may be sizable. The limit only guards against multi-gigabyte allocation attacks.
      See Also:
    • MAX_REFS

      public static final long MAX_REFS
      Maximum allowed number of object references in a single object graph (handle table size).
      See Also:
    • MAX_BYTES

      public static final long MAX_BYTES
      Maximum allowed number of stream bytes consumed for a single object graph (i.e. per readObject call), as a denial-of-service backstop.
      See Also:
  • Constructor Details

    • AgentStateDeserializationFilter

      public AgentStateDeserializationFilter()
      Creates a strict filter that allows only the default set of agent state classes.
    • AgentStateDeserializationFilter

      public AgentStateDeserializationFilter(Collection<Class<?>> additionalAllowed)
      Creates a strict filter that allows the default set of agent state classes plus the supplied additional classes. The additional classes are matched by exact identity (subclasses are not implicitly allowed).
      Parameters:
      additionalAllowed - additional classes to allow for deserialization, or null/empty for the default set only.
  • Method Details