com.atlassian.jira.security.BlocklistDeserializationFilter

All Implemented Interfaces:: ObjectInputFilter

public class BlocklistDeserializationFilter extends Object implements ObjectInputFilter

This is a global deserialization filter for Jira. The root reason for adding the filter was the vulnerability to JMX RCE attacks. It maintains a blocklist of some well known vulnerable classes that will be rejected when loading. The blocklist classes is placed in deserialization-blocklist.properties file and copied from here

Since:: v9.8

Nested Class Summary

Nested classes/interfaces inherited from interface java.io.ObjectInputFilter
ObjectInputFilter.Config, ObjectInputFilter.FilterInfo, ObjectInputFilter.Status
Constructor Summary

Constructors

Constructor

Description

BlocklistDeserializationFilter(Set<String> blockedClasses)
Method Summary

Modifier and Type

Method

Description

ObjectInputFilter.Status

checkInput(ObjectInputFilter.FilterInfo filterInfo)

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details
- BlocklistDeserializationFilter
  
  public BlocklistDeserializationFilter(Set<String> blockedClasses)
Method Details
- checkInput
  
  public ObjectInputFilter.Status checkInput(ObjectInputFilter.FilterInfo filterInfo)
  
  Specified by:
  
  checkInput in interface ObjectInputFilter

Class BlocklistDeserializationFilter

Nested Class Summary

Nested classes/interfaces inherited from interface java.io.ObjectInputFilter

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Constructor Details

BlocklistDeserializationFilter

Method Details

checkInput