Package com.atlassian.jira.security

Class DeserializationSecurityExemption

java.lang.Object
com.atlassian.jira.security.DeserializationSecurityExemption
public final class DeserializationSecurityExemption extends Object
A utility class that exceptionally allows certain classes to be deserialized even if they are considered unsafe by the global deserialization filter.

Any use of this mechanism should be approved by the Product Security team.

  • Method Details

    • allowUnsafe

      public static <T> T allowUnsafe(org.springframework.util.function.ThrowingSupplier<T> supplier, Set<Class<?>> allowedUnsafeClasses) throws NotBoundException, RemoteException
      Execute the given supplier while allowing the specified classes to be deserialized. The allowed classes must be a subset of the predefined safe classes.

      IMPORTANT:
      • This method usage must be consulted with Product Security team.
      • Improper use of this method may introduce security vulnerabilities.
      • The allowed classes should be as specific as possible to minimize security risks.
      • The code wrapped in this method (ThrowingSupplier) should be minimal. Don't wrap too much logic with it.
      • The implementation of this method IS NOT thread-safe. If the thread switches within the ThrowingSupplier, the mechanism will fail.
      Type Parameters:
      T - the type of the result
      Parameters:
      supplier - the supplier to execute
      allowedUnsafeClasses - the set of classes to allow during the execution of the supplier
      Returns:
      the result of the supplier
      Throws:
      NotBoundException - if a NotBoundException is thrown during the execution of the supplier
      RemoteException - if a RemoteException is thrown during the execution of the supplier