Harden ObjectArrayMessage deserialization with SerializationUtil.assertFiltered

log4j-1.2-api/src/main/java/org/apache/log4j/Level.java

@@ -25,6 +25,7 @@
 import java.io.Serializable;
 import org.apache.log4j.helpers.OptionConverter;
 import org.apache.logging.log4j.util.Strings;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * Defines the minimum set of levels recognized by the system, that is
@@ -214,6 +215,7 @@ public static Level toLevel(final String sArg, final Level defaultLevel) {
      * @throws ClassNotFoundException if class not found.
      */
     private void readObject(final ObjectInputStream s) throws IOException, ClassNotFoundException {
+        SerializationUtil.assertFiltered(s);
         s.defaultReadObject();
         level = s.readInt();
         syslogEquivalent = s.readInt();

log4j-1.2-api/src/test/java/org/apache/log4j/util/SerializationTestHelper.java

@@ -24,9 +24,14 @@
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
+import java.util.Arrays;
+import java.util.Collection;
 import org.apache.commons.io.FileUtils;
+import org.apache.logging.log4j.util.Constants;
+import org.apache.logging.log4j.util.FilteredObjectInputStream;
 
 /**
  * Utiities for serialization tests.
@@ -103,11 +108,23 @@ public static void assertStreamEquals(
      * @throws Exception thrown on IO or deserialization exception.
      */
     public static Object deserializeStream(final String witness) throws Exception {
-        try (final ObjectInputStream objIs = new ObjectInputStream(new FileInputStream(witness))) {
+        try (final ObjectInputStream objIs = newObjectInputStream(new FileInputStream(witness))) {
             return objIs.readObject();
         }
     }
 
+    // FilteredObjectInputStream's default allow-list covers `org.apache.logging.log4j.` but not
+    // the `org.apache.log4j.` 1.2-compatibility namespace, so we have to enumerate the
+    // 1.2 classes that the tests in this module deserialize on Java 8.
+    private static final Collection<String> ALLOWED_LOG4J_1_2_CLASSES =
+            Arrays.asList("org.apache.log4j.Level", "org.apache.log4j.LevelTest$CustomLevel");
+
+    private static ObjectInputStream newObjectInputStream(final InputStream in) throws IOException {
+        return Constants.JAVA_MAJOR_VERSION == 8
+                ? new FilteredObjectInputStream(in, ALLOWED_LOG4J_1_2_CLASSES)
+                : new ObjectInputStream(in);
+    }
+
     /**
      * Creates a clone by serializing object and deserializing byte stream.
      *
@@ -123,7 +140,7 @@ public static Object serializeClone(final Object obj) throws IOException, ClassN
         }
 
         final ByteArrayInputStream src = new ByteArrayInputStream(memOut.toByteArray());
-        final ObjectInputStream objIs = new ObjectInputStream(src);
+        final ObjectInputStream objIs = newObjectInputStream(src);
 
         return objIs.readObject();
     }

log4j-api-test/src/main/java/org/apache/logging/log4j/test/SerializableMatchers.java

@@ -20,7 +20,7 @@
 import static org.hamcrest.core.IsInstanceOf.any;
 
 import java.io.Serializable;
-import org.apache.commons.lang3.SerializationUtils;
+import org.apache.logging.log4j.test.junit.SerialUtil;
 import org.hamcrest.FeatureMatcher;
 import org.hamcrest.Matcher;
 
@@ -35,7 +35,7 @@ public static <T extends Serializable> Matcher<T> serializesRoundTrip(final Matc
         return new FeatureMatcher<T, T>(matcher, "serializes round trip", "serializes round trip") {
             @Override
             protected T featureValueOf(final T actual) {
-                return SerializationUtils.roundtrip(actual);
+                return SerialUtil.deserialize(SerialUtil.serialize(actual));
             }
         };
     }

log4j-api-test/src/test/java/org/apache/logging/log4j/message/FormattedMessageTest.java

@@ -19,13 +19,9 @@
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.ObjectInputStream;
-import java.io.ObjectOutputStream;
 import java.util.Locale;
 import org.apache.logging.log4j.test.junit.Mutable;
+import org.apache.logging.log4j.test.junit.SerialUtil;
 import org.apache.logging.log4j.util.Constants;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.parallel.ResourceAccessMode;
@@ -158,15 +154,9 @@ void testSafeAfterGetFormattedMessageIsCalled() { // LOG4J2-763
     }
 
     @Test
-    void testSerialization() throws IOException, ClassNotFoundException {
+    void testSerialization() {
         final FormattedMessage expected = new FormattedMessage("Msg", "a", "b", "c");
-        final ByteArrayOutputStream baos = new ByteArrayOutputStream();
-        try (final ObjectOutputStream out = new ObjectOutputStream(baos)) {
-            out.writeObject(expected);
-        }
-        final ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray());
-        final ObjectInputStream in = new ObjectInputStream(bais);
-        final FormattedMessage actual = (FormattedMessage) in.readObject();
+        final FormattedMessage actual = SerialUtil.deserialize(SerialUtil.serialize(expected));
         assertEquals(expected, actual);
         assertEquals(expected.getFormat(), actual.getFormat());
         assertEquals(expected.getFormattedMessage(), actual.getFormattedMessage());

log4j-api-test/src/test/java/org/apache/logging/log4j/message/LocalizedMessageTest.java

@@ -18,10 +18,9 @@
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 
-import java.io.Serializable;
 import java.util.Locale;
-import org.apache.commons.lang3.SerializationUtils;
 import org.apache.logging.log4j.test.junit.Mutable;
+import org.apache.logging.log4j.test.junit.SerialUtil;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.parallel.ResourceAccessMode;
 import org.junit.jupiter.api.parallel.ResourceLock;
@@ -33,8 +32,8 @@
 @ResourceLock(value = Resources.LOCALE, mode = ResourceAccessMode.READ)
 class LocalizedMessageTest {
 
-    private <T extends Serializable> T roundtrip(final T msg) {
-        return SerializationUtils.roundtrip(msg);
+    private LocalizedMessage roundtrip(final LocalizedMessage msg) {
+        return SerialUtil.deserialize(SerialUtil.serialize(msg));
     }
 
     @Test

log4j-api-test/src/test/java/org/apache/logging/log4j/message/ObjectArrayMessageTest.java

@@ -19,6 +19,7 @@
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertNull;
 
+import org.apache.logging.log4j.test.junit.SerialUtil;
 import org.junit.jupiter.api.Test;
 
 /**
@@ -38,4 +39,16 @@ void testGetParameters() {
     void testGetThrowable() {
         assertNull(OBJECT_ARRAY_MESSAGE.getThrowable());
     }
+
+    /**
+     * Round-trips through a filtered stream (see {@link SerialUtil#getObjectInputStream})
+     * to verify that {@code readObject}'s new {@code SerializationUtil.assertFiltered}
+     * check accepts streams that carry a filter.
+     */
+    @Test
+    void testSerializableRoundTripThroughFilteredStream() {
+        final ObjectArrayMessage original = new ObjectArrayMessage("A", "B", "C");
+        final ObjectArrayMessage restored = SerialUtil.deserialize(SerialUtil.serialize(original));
+        assertArrayEquals(original.getParameters(), restored.getParameters());
+    }
 }

log4j-api-test/src/test/java/org/apache/logging/log4j/message/StringFormattedMessageTest.java

@@ -20,13 +20,9 @@
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.ObjectInputStream;
-import java.io.ObjectOutputStream;
 import java.util.Locale;
 import org.apache.logging.log4j.test.junit.Mutable;
+import org.apache.logging.log4j.test.junit.SerialUtil;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.parallel.ResourceAccessMode;
 import org.junit.jupiter.api.parallel.ResourceLock;
@@ -115,15 +111,9 @@ void testSafeAfterGetFormattedMessageIsCalled() { // LOG4J2-763
     }
 
     @Test
-    void testSerialization() throws IOException, ClassNotFoundException {
+    void testSerialization() {
         final StringFormattedMessage expected = new StringFormattedMessage("Msg", "a", "b", "c");
-        final ByteArrayOutputStream baos = new ByteArrayOutputStream();
-        try (final ObjectOutputStream out = new ObjectOutputStream(baos)) {
-            out.writeObject(expected);
-        }
-        final ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray());
-        final ObjectInputStream in = new ObjectInputStream(bais);
-        final StringFormattedMessage actual = (StringFormattedMessage) in.readObject();
+        final StringFormattedMessage actual = SerialUtil.deserialize(SerialUtil.serialize(expected));
         assertEquals(expected, actual);
         assertEquals(expected.getFormat(), actual.getFormat());
         assertEquals(expected.getFormattedMessage(), actual.getFormattedMessage());

log4j-api/src/main/java/org/apache/logging/log4j/message/FormattedMessage.java

@@ -23,6 +23,7 @@
 import java.text.MessageFormat;
 import java.util.Arrays;
 import java.util.Locale;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * Handles messages that contain a format String. Dynamically determines if the format conforms to
@@ -243,6 +244,7 @@ public int hashCode() {
     }
 
     private void readObject(final ObjectInputStream in) throws IOException, ClassNotFoundException {
+        SerializationUtil.assertFiltered(in);
         in.defaultReadObject();
         formattedMessage = in.readUTF();
         messagePattern = in.readUTF();

log4j-api/src/main/java/org/apache/logging/log4j/message/LocalizedMessage.java

@@ -23,6 +23,7 @@
 import java.util.MissingResourceException;
 import java.util.ResourceBundle;
 import org.apache.logging.log4j.status.StatusLogger;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * Provides some level of compatibility with Log4j 1.x and convenience but is not the recommended way to Localize
@@ -283,6 +284,7 @@ private void writeObject(final ObjectOutputStream out) throws IOException {
     }
 
     private void readObject(final ObjectInputStream in) throws IOException, ClassNotFoundException {
+        SerializationUtil.assertFiltered(in);
         in.defaultReadObject();
         formattedMessage = in.readUTF();
         key = in.readUTF();

log4j-api/src/main/java/org/apache/logging/log4j/message/MessageFormatMessage.java

@@ -25,6 +25,7 @@
 import java.util.Locale;
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.status.StatusLogger;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * Handles messages that consist of a format string conforming to java.text.MessageFormat.
@@ -164,6 +165,7 @@ private void writeObject(final ObjectOutputStream out) throws IOException {
     }
 
     private void readObject(final ObjectInputStream in) throws IOException {
+        SerializationUtil.assertFiltered(in);
         parameters = null;
         throwable = null;
         formattedMessage = in.readUTF();

log4j-api/src/main/java/org/apache/logging/log4j/message/ObjectArrayMessage.java

@@ -21,6 +21,7 @@
 import java.io.ObjectOutputStream;
 import java.util.Arrays;
 import org.apache.logging.log4j.util.Constants;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * Handles messages that contain an Object[].
@@ -117,6 +118,7 @@ public int hashCode() {
     }
 
     private void readObject(final ObjectInputStream in) throws IOException, ClassNotFoundException {
+        SerializationUtil.assertFiltered(in);
         in.defaultReadObject();
         array = (Object[]) in.readObject();
     }

log4j-api/src/main/java/org/apache/logging/log4j/message/SimpleMessage.java

@@ -21,6 +21,7 @@
 import java.io.ObjectOutputStream;
 import java.util.Objects;
 import org.apache.logging.log4j.util.StringBuilderFormattable;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * The simplest possible implementation of Message. It just returns the String given as the constructor argument.
@@ -152,6 +153,7 @@ private void writeObject(final ObjectOutputStream out) throws IOException {
     }
 
     private void readObject(final ObjectInputStream in) throws IOException, ClassNotFoundException {
+        SerializationUtil.assertFiltered(in);
         in.defaultReadObject();
         charSequence = message;
     }

log4j-api/src/main/java/org/apache/logging/log4j/message/StringFormattedMessage.java

@@ -24,6 +24,7 @@
 import java.util.Locale;
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.status.StatusLogger;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * Handles messages that consist of a format string conforming to {@link java.util.Formatter}.
@@ -172,6 +173,7 @@ private void writeObject(final ObjectOutputStream out) throws IOException {
     }
 
     private void readObject(final ObjectInputStream in) throws IOException, ClassNotFoundException {
+        SerializationUtil.assertFiltered(in);
         in.defaultReadObject();
         formattedMessage = in.readUTF();
         messagePattern = in.readUTF();

log4j-api/src/main/java/org/apache/logging/log4j/message/ThreadDumpMessage.java

@@ -33,6 +33,7 @@
 import org.apache.logging.log4j.util.ServiceLoaderUtil;
 import org.apache.logging.log4j.util.StringBuilderFormattable;
 import org.apache.logging.log4j.util.Strings;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * Captures information about all running Threads.
@@ -131,6 +132,7 @@ protected Object writeReplace() {
     }
 
     private void readObject(final ObjectInputStream stream) throws InvalidObjectException {
+        SerializationUtil.assertFiltered(stream);
         throw new InvalidObjectException("Proxy required");
     }
 

log4j-core/src/main/java/org/apache/logging/log4j/core/async/RingBufferLogEvent.java

@@ -45,6 +45,7 @@
 import org.apache.logging.log4j.util.StringBuilders;
 import org.apache.logging.log4j.util.StringMap;
 import org.apache.logging.log4j.util.Strings;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * When the Disruptor is started, the RingBuffer is populated with event objects. These objects are then re-used during
@@ -450,6 +451,7 @@ private Object writeReplace() throws IOException {
     }
 
     private void readObject(final ObjectInputStream stream) throws InvalidObjectException {
+        SerializationUtil.assertFiltered(stream);
         throw new InvalidObjectException("Proxy required");
     }
 

log4j-core/src/main/java/org/apache/logging/log4j/core/impl/Log4jLogEvent.java

@@ -48,6 +48,7 @@
 import org.apache.logging.log4j.util.StackLocatorUtil;
 import org.apache.logging.log4j.util.StringMap;
 import org.apache.logging.log4j.util.Strings;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * Implementation of a LogEvent.
@@ -993,6 +994,7 @@ public static Log4jLogEvent deserialize(final Serializable event) {
     }
 
     private void readObject(final ObjectInputStream stream) throws InvalidObjectException {
+        SerializationUtil.assertFiltered(stream);
         throw new InvalidObjectException("Proxy required");
     }
 

log4j-core/src/main/java/org/apache/logging/log4j/core/impl/MutableLogEvent.java

@@ -41,6 +41,7 @@
 import org.apache.logging.log4j.util.StringBuilders;
 import org.apache.logging.log4j.util.StringMap;
 import org.apache.logging.log4j.util.Strings;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * Mutable implementation of the {@code LogEvent} interface.
@@ -493,6 +494,7 @@ protected Object writeReplace() {
     }
 
     private void readObject(final ObjectInputStream stream) throws InvalidObjectException {
+        SerializationUtil.assertFiltered(stream);
         throw new InvalidObjectException("Proxy required");
     }
 

log4j-core/src/main/java/org/apache/logging/log4j/core/util/datetime/FastDatePrinter.java

@@ -31,6 +31,7 @@
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
 import org.apache.logging.log4j.core.util.Throwables;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * <p>FastDatePrinter is a fast and thread-safe version of
@@ -639,6 +640,7 @@ public String toString() {
      * @throws ClassNotFoundException if a class cannot be found.
      */
     private void readObject(final ObjectInputStream in) throws IOException, ClassNotFoundException {
+        SerializationUtil.assertFiltered(in);
         in.defaultReadObject();
         init();
     }

log4j-perf-test/src/main/java/org/apache/logging/log4j/perf/nogc/OpenHashStringMap.java

@@ -29,6 +29,7 @@
 import org.apache.logging.log4j.util.ReadOnlyStringMap;
 import org.apache.logging.log4j.util.StringMap;
 import org.apache.logging.log4j.util.TriConsumer;
+import org.apache.logging.log4j.util.internal.SerializationUtil;
 
 /**
  * Open hash map-based implementation of the {@code ReadOnlyStringMap} interface.
@@ -690,6 +691,7 @@ public int hashCode() {
 
     @SuppressWarnings("unchecked")
     private void readObject(final ObjectInputStream s) throws IOException, ClassNotFoundException {
+        SerializationUtil.assertFiltered(s);
         s.defaultReadObject();
         arraySize = HashCommon.arraySize(size, loadFactor);
         maxFill = HashCommon.maxFill(arraySize, loadFactor);