Class DefaultClassFilter

java.lang.Object
cloud.opencode.base.serialization.filter.DefaultClassFilter
public final class DefaultClassFilter extends Object
DefaultClassFilter - Pre-built Secure Class Filters 预置安全类过滤器

Provides factory methods for commonly used deserialization class filters. These filters protect against known deserialization gadget chains and restrict classes to safe subsets of the JDK and common libraries.

提供常用反序列化类过滤器的工厂方法。 这些过滤器可防御已知的反序列化利用链, 并将类限制在 JDK 和常见库的安全子集内。

Features | 主要功能:

  • secure() - Blocks known gadget chain classes - 阻止已知利用链类
  • strict() - Allowlist-only filter for JDK standard types - 仅允许 JDK 标准类型的白名单过滤器

Usage Examples | 使用示例:

// Use the secure filter to block known dangerous classes
ClassFilter filter = DefaultClassFilter.secure();
boolean allowed = filter.isAllowed("java.lang.String"); // true
boolean blocked = filter.isAllowed("javax.naming.InitialContext"); // false

// Use the strict filter for maximum security
ClassFilter strict = DefaultClassFilter.strict();
boolean ok = strict.isAllowed("java.util.ArrayList"); // true
boolean denied = strict.isAllowed("com.example.MyClass"); // false

// Combine secure filter with custom allowlist
ClassFilter custom = DefaultClassFilter.secure()
    .and(new ClassFilterBuilder()
        .allowPackage("com.myapp.model")
        .defaultDeny()
        .build());

Security | 安全性:

  • Thread-safe: Yes (all returned filters are immutable) - 线程安全: 是(所有返回的过滤器均不可变)
Since:
JDK 25, opencode-base-serialization V1.0.3
Author:
Leon Soo www.LeonSoo.com
See Also:

  • Method Details

    • secure

      public static ClassFilter secure()
      Returns a filter that blocks known dangerous deserialization gadget classes. 返回阻止已知危险反序列化利用链类的过滤器。

      This filter denies classes commonly exploited in deserialization attacks, including JNDI injection, RMI exploitation, and known gadget chain classes from Apache Commons Collections, Xalan, Spring, and other libraries. All other classes are allowed by default.

      此过滤器拒绝反序列化攻击中常被利用的类, 包括 JNDI 注入、RMI 利用以及来自 Apache Commons Collections、 Xalan、Spring 等库的已知利用链类。 默认允许其他所有类。

      Blocked categories | 阻止的类别:

      • JNDI: javax.naming.*, com.sun.jndi.* - JNDI 相关
      • RMI: java.rmi.*, sun.rmi.* - RMI 相关
      • Commons Collections gadgets: org.apache.commons.collections.functors.*, org.apache.commons.collections4.functors.* - Commons 集合利用链
      • Xalan/XSLT: org.apache.xalan.*, com.sun.org.apache.xalan.* - XSLT 处理器
      • BCEL: com.sun.org.apache.bcel.*, org.apache.bcel.* - 字节码工程库
      • Spring: org.springframework.beans.factory.*, org.springframework.aop.* - Spring 框架
      • Script engines: javax.script.*, jdk.nashorn.* - 脚本引擎
      • Process execution: java.lang.ProcessBuilder, java.lang.Runtime - 进程执行
      Returns:
      a secure class filter that blocks known gadget chains | 阻止已知利用链的安全类过滤器

    • strict

      public static ClassFilter strict()
      Returns a filter that only allows JDK standard types and common value types. 返回仅允许 JDK 标准类型和常见值类型的过滤器。

      This is the most restrictive built-in filter. Only the following categories of classes are allowed:

      这是最严格的内置过滤器。仅允许以下类别的类:

      • Primitives and wrappers: int, Integer, etc. - 基本类型和包装类
      • String and CharSequence - 字符串
      • java.math: BigDecimal, BigInteger - 数学类
      • java.time: all temporal types - 时间类型
      • java.util: collections, Optional, UUID, etc. - 集合、Optional、UUID 等
      • java.net: URI - 网络地址(URL 因 DNS gadget 风险已排除)
      • java.io.Serializable (marker interface only) - 序列化标记接口
      • Arrays of allowed types - 允许类型的数组
      Returns:
      a strict allowlist-only class filter | 严格的白名单类过滤器