Harden ObjectArrayMessage deserialization with SerializationUtil.assertFiltered

log4j-1.2-api/src/main/java/org/apache/log4j/Level.java

@@ -25,6 +25,7 @@
 import java.io.Serializable;
 import org.apache.log4j.helpers.OptionConverter;
 import org.apache.logging.log4j.util.Strings;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * Defines the minimum set of levels recognized by the system, that is
@@ -214,6 +215,7 @@ public static Level toLevel(final String sArg, final Level defaultLevel) {
      * @throws ClassNotFoundException if class not found.
      */
     private void readObject(final ObjectInputStream s) throws IOException, ClassNotFoundException {
+        SerializationUtil.assertFiltered(s);
         s.defaultReadObject();
         level = s.readInt();
         syslogEquivalent = s.readInt();

log4j-api-test/src/test/java/org/apache/logging/log4j/message/ObjectArrayMessageTest.java

@@ -19,6 +19,7 @@
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertNull;
 
+import org.apache.logging.log4j.test.junit.SerialUtil;
 import org.junit.jupiter.api.Test;
 
 /**
@@ -38,4 +39,16 @@ void testGetParameters() {
     void testGetThrowable() {
         assertNull(OBJECT_ARRAY_MESSAGE.getThrowable());
     }
+
+    /**
+     * Round-trips through a filtered stream (see {@link SerialUtil#getObjectInputStream})
+     * to verify that {@code readObject}'s new {@code SerializationUtil.assertFiltered}
+     * check accepts streams that carry a filter.
+     */
+    @Test
+    void testSerializableRoundTripThroughFilteredStream() {
+        final ObjectArrayMessage original = new ObjectArrayMessage("A", "B", "C");
+        final ObjectArrayMessage restored = SerialUtil.deserialize(SerialUtil.serialize(original));
+        assertArrayEquals(original.getParameters(), restored.getParameters());
+    }
 }

log4j-api/src/main/java/org/apache/logging/log4j/message/FormattedMessage.java

@@ -23,6 +23,7 @@
 import java.text.MessageFormat;
 import java.util.Arrays;
 import java.util.Locale;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * Handles messages that contain a format String. Dynamically determines if the format conforms to
@@ -243,6 +244,7 @@ public int hashCode() {
     }
 
     private void readObject(final ObjectInputStream in) throws IOException, ClassNotFoundException {
+        SerializationUtil.assertFiltered(in);
         in.defaultReadObject();
         formattedMessage = in.readUTF();
         messagePattern = in.readUTF();

log4j-api/src/main/java/org/apache/logging/log4j/message/LocalizedMessage.java

@@ -23,6 +23,7 @@
 import java.util.MissingResourceException;
 import java.util.ResourceBundle;
 import org.apache.logging.log4j.status.StatusLogger;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * Provides some level of compatibility with Log4j 1.x and convenience but is not the recommended way to Localize
@@ -283,6 +284,7 @@ private void writeObject(final ObjectOutputStream out) throws IOException {
     }
 
     private void readObject(final ObjectInputStream in) throws IOException, ClassNotFoundException {
+        SerializationUtil.assertFiltered(in);
         in.defaultReadObject();
         formattedMessage = in.readUTF();
         key = in.readUTF();

log4j-api/src/main/java/org/apache/logging/log4j/message/MessageFormatMessage.java

@@ -25,6 +25,7 @@
 import java.util.Locale;
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.status.StatusLogger;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * Handles messages that consist of a format string conforming to java.text.MessageFormat.
@@ -164,6 +165,7 @@ private void writeObject(final ObjectOutputStream out) throws IOException {
     }
 
     private void readObject(final ObjectInputStream in) throws IOException {
+        SerializationUtil.assertFiltered(in);
         parameters = null;
         throwable = null;
         formattedMessage = in.readUTF();

log4j-api/src/main/java/org/apache/logging/log4j/message/ObjectArrayMessage.java

@@ -21,6 +21,7 @@
 import java.io.ObjectOutputStream;
 import java.util.Arrays;
 import org.apache.logging.log4j.util.Constants;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * Handles messages that contain an Object[].
@@ -117,6 +118,7 @@ public int hashCode() {
     }
 
     private void readObject(final ObjectInputStream in) throws IOException, ClassNotFoundException {
+        SerializationUtil.assertFiltered(in);
         in.defaultReadObject();
         array = (Object[]) in.readObject();
     }

log4j-api/src/main/java/org/apache/logging/log4j/message/SimpleMessage.java

@@ -21,6 +21,7 @@
 import java.io.ObjectOutputStream;
 import java.util.Objects;
 import org.apache.logging.log4j.util.StringBuilderFormattable;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * The simplest possible implementation of Message. It just returns the String given as the constructor argument.
@@ -152,6 +153,7 @@ private void writeObject(final ObjectOutputStream out) throws IOException {
     }
 
     private void readObject(final ObjectInputStream in) throws IOException, ClassNotFoundException {
+        SerializationUtil.assertFiltered(in);
         in.defaultReadObject();
         charSequence = message;
     }

log4j-api/src/main/java/org/apache/logging/log4j/message/StringFormattedMessage.java

@@ -24,6 +24,7 @@
 import java.util.Locale;
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.status.StatusLogger;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * Handles messages that consist of a format string conforming to {@link java.util.Formatter}.
@@ -172,6 +173,7 @@ private void writeObject(final ObjectOutputStream out) throws IOException {
     }
 
     private void readObject(final ObjectInputStream in) throws IOException, ClassNotFoundException {
+        SerializationUtil.assertFiltered(in);
         in.defaultReadObject();
         formattedMessage = in.readUTF();
         messagePattern = in.readUTF();

log4j-api/src/main/java/org/apache/logging/log4j/message/ThreadDumpMessage.java

@@ -33,6 +33,7 @@
 import org.apache.logging.log4j.util.ServiceLoaderUtil;
 import org.apache.logging.log4j.util.StringBuilderFormattable;
 import org.apache.logging.log4j.util.Strings;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * Captures information about all running Threads.
@@ -131,6 +132,7 @@ protected Object writeReplace() {
     }
 
     private void readObject(final ObjectInputStream stream) throws InvalidObjectException {
+        SerializationUtil.assertFiltered(stream);
         throw new InvalidObjectException("Proxy required");
     }
 

log4j-core/src/main/java/org/apache/logging/log4j/core/async/RingBufferLogEvent.java

@@ -45,6 +45,7 @@
 import org.apache.logging.log4j.util.StringBuilders;
 import org.apache.logging.log4j.util.StringMap;
 import org.apache.logging.log4j.util.Strings;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * When the Disruptor is started, the RingBuffer is populated with event objects. These objects are then re-used during
@@ -450,6 +451,7 @@ private Object writeReplace() throws IOException {
     }
 
     private void readObject(final ObjectInputStream stream) throws InvalidObjectException {
+        SerializationUtil.assertFiltered(stream);
         throw new InvalidObjectException("Proxy required");
     }
 

log4j-core/src/main/java/org/apache/logging/log4j/core/impl/Log4jLogEvent.java

@@ -48,6 +48,7 @@
 import org.apache.logging.log4j.util.StackLocatorUtil;
 import org.apache.logging.log4j.util.StringMap;
 import org.apache.logging.log4j.util.Strings;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * Implementation of a LogEvent.
@@ -993,6 +994,7 @@ public static Log4jLogEvent deserialize(final Serializable event) {
     }
 
     private void readObject(final ObjectInputStream stream) throws InvalidObjectException {
+        SerializationUtil.assertFiltered(stream);
         throw new InvalidObjectException("Proxy required");
     }
 

log4j-core/src/main/java/org/apache/logging/log4j/core/impl/MutableLogEvent.java

@@ -41,6 +41,7 @@
 import org.apache.logging.log4j.util.StringBuilders;
 import org.apache.logging.log4j.util.StringMap;
 import org.apache.logging.log4j.util.Strings;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * Mutable implementation of the {@code LogEvent} interface.
@@ -493,6 +494,7 @@ protected Object writeReplace() {
     }
 
     private void readObject(final ObjectInputStream stream) throws InvalidObjectException {
+        SerializationUtil.assertFiltered(stream);
         throw new InvalidObjectException("Proxy required");
     }
 

log4j-core/src/main/java/org/apache/logging/log4j/core/util/datetime/FastDatePrinter.java

@@ -31,6 +31,7 @@
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
 import org.apache.logging.log4j.core.util.Throwables;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * <p>FastDatePrinter is a fast and thread-safe version of
@@ -639,6 +640,7 @@ public String toString() {
      * @throws ClassNotFoundException if a class cannot be found.
      */
     private void readObject(final ObjectInputStream in) throws IOException, ClassNotFoundException {
+        SerializationUtil.assertFiltered(in);
         in.defaultReadObject();
         init();
     }

log4j-perf-test/src/main/java/org/apache/logging/log4j/perf/nogc/OpenHashStringMap.java

@@ -29,6 +29,7 @@
 import org.apache.logging.log4j.util.ReadOnlyStringMap;
 import org.apache.logging.log4j.util.StringMap;
 import org.apache.logging.log4j.util.TriConsumer;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * Open hash map-based implementation of the {@code ReadOnlyStringMap} interface.
@@ -690,6 +691,7 @@ public int hashCode() {
 
     @SuppressWarnings("unchecked")
     private void readObject(final ObjectInputStream s) throws IOException, ClassNotFoundException {
+        SerializationUtil.assertFiltered(s);
         s.defaultReadObject();
         arraySize = HashCommon.arraySize(size, loadFactor);
         maxFill = HashCommon.maxFill(arraySize, loadFactor);

log4j-slf4j-impl/src/main/java/org/apache/logging/slf4j/Log4jLogger.java

@@ -26,6 +26,7 @@
 import org.apache.logging.log4j.message.ParameterizedMessage;
 import org.apache.logging.log4j.message.SimpleMessage;
 import org.apache.logging.log4j.spi.ExtendedLogger;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 import org.slf4j.Marker;
 import org.slf4j.spi.LocationAwareLogger;
 
@@ -384,6 +385,7 @@ public String getName() {
      * the de-serialized object.
      */
     private void readObject(final ObjectInputStream aInputStream) throws ClassNotFoundException, IOException {
+        SerializationUtil.assertFiltered(aInputStream);
         // always perform the default de-serialization first
         aInputStream.defaultReadObject();
         logger = LogManager.getContext().getLogger(name);

log4j-slf4j2-impl/src/main/java/org/apache/logging/slf4j/Log4jLogger.java

@@ -26,6 +26,7 @@
 import org.apache.logging.log4j.message.ParameterizedMessage;
 import org.apache.logging.log4j.message.SimpleMessage;
 import org.apache.logging.log4j.spi.ExtendedLogger;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 import org.slf4j.Marker;
 import org.slf4j.spi.LocationAwareLogger;
 import org.slf4j.spi.LoggingEventBuilder;
@@ -384,6 +385,7 @@ public String getName() {
      * the de-serialized object.
      */
     private void readObject(final ObjectInputStream aInputStream) throws ClassNotFoundException, IOException {
+        SerializationUtil.assertFiltered(aInputStream);
         // always perform the default de-serialization first
         aInputStream.defaultReadObject();
         logger = LogManager.getContext().getLogger(name);

src/changelog/.2.x.x/harden_message_deserialization.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<entry xmlns="https://logging.apache.org/xml/ns"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="
+           https://logging.apache.org/xml/ns
+           https://logging.apache.org/xml/ns/log4j-changelog-0.xsd"
+       type="changed">
+    <description format="asciidoc">
+        Applied `SerializationUtil.assertFiltered()` consistently to every `private void readObject(ObjectInputStream)` across `log4j-api`, `log4j-core`, `log4j-1.2-api`, `log4j-slf4j-impl`, and `log4j-slf4j2-impl`. Defense-in-depth only; wire format is unchanged.
+    </description>
+</entry>