ParanoidObjectDataInputStream (Atlassian Confluence 8.8.0 API)

java.lang.Object
- java.io.InputStream
- - com.hazelcast.internal.serialization.impl.ObjectDataInputStream
  - - com.atlassian.confluence.impl.cluster.hazelcast.interceptor.authenticator.ParanoidObjectDataInputStream

All Implemented Interfaces:

com.hazelcast.nio.ObjectDataInput, com.hazelcast.nio.VersionAware, Closeable, DataInput, AutoCloseable
```
public class ParanoidObjectDataInputStream
extends com.hazelcast.internal.serialization.impl.ObjectDataInputStream
```
A subclass of Hazelcast's ObjectDataInputStream specifically for use during join checks which applies bounds to certain operations.
What this class overrides and what it doesn't is strongly influenced by what methods the join check implementations actually call. For example, any of the read*Array methods could also be used to try and instantiate arrays of unrealistic size and trigger OutOfMemoryErrors. However, the join checks never call those methods, so in practice there's no vulnerability there.

Since:

7.17.3

Field Summary

Fields
Modifier and Type Field Description

protected com.hazelcast.version.Version version

Constructor Summary

Constructors
Constructor	Description
`ParanoidObjectDataInputStream(InputStream in, com.hazelcast.internal.serialization.InternalSerializationService serializationService)`

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method	Description
`com.hazelcast.version.Version`	`getVersion()`
`String`	`readUTF()`	Overrides `ObjectDataInputStream.readUTF()` and applies a hard upper limit to the number of chars that can be read, to prevent malicious clients from triggering `OutOfMemoryError`s
`void`	`setVersion(com.hazelcast.version.Version arg0)`

Methods inherited from class com.hazelcast.internal.serialization.impl.ObjectDataInputStream
available, close, getByteOrder, getClassLoader, getSerializationService, mark, markSupported, read, read, read, readBoolean, readBooleanArray, readByte, readByteArray, readChar, readCharArray, readData, readDataAsObject, readDouble, readDoubleArray, readFloat, readFloatArray, readFully, readFully, readInt, readIntArray, readLine, readLong, readLongArray, readObject, readObject, readShort, readShortArray, readUnsignedByte, readUnsignedShort, readUTFArray, reset, skip, skipBytes

Methods inherited from class java.io.InputStream
nullInputStream, readAllBytes, readNBytes, readNBytes, transferTo

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - version
```
protected com.hazelcast.version.Version version
```
- Constructor Detail
  - ParanoidObjectDataInputStream
```
public ParanoidObjectDataInputStream(InputStream in,
                                     com.hazelcast.internal.serialization.InternalSerializationService serializationService)
```
- Method Detail
  - readUTF
```
public String readUTF()
               throws IOException
```
    Overrides ObjectDataInputStream.readUTF() and applies a hard upper limit to the number of chars that can be read, to prevent malicious clients from triggering OutOfMemoryErrors
    
    Specified by:
    
    readUTF in interface DataInput
    
    Overrides:
    
    readUTF in class com.hazelcast.internal.serialization.impl.ObjectDataInputStream
    
    Returns:
    
    the UTF string, or null if the requested length is -1
    
    Throws:
    
    IOException - if data cannot be read from the stream
    
    UTFDataFormatException - if the string length to read is excessively long
  - setVersion
```
public void setVersion(com.hazelcast.version.Version arg0)
```
  - getVersion
```
public com.hazelcast.version.Version getVersion()
```
    Specified by:
    
    getVersion in interface com.hazelcast.nio.VersionAware