diff --git a/opengrok-indexer/src/main/java/org/opengrok/indexer/history/AnnotationDataClassLoader.java b/opengrok-indexer/src/main/java/org/opengrok/indexer/history/AnnotationDataClassLoader.java deleted file mode 100644 index 8f49d4f9dee..00000000000 --- a/opengrok-indexer/src/main/java/org/opengrok/indexer/history/AnnotationDataClassLoader.java +++ /dev/null @@ -1,54 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License (the "License"). - * You may not use this file except in compliance with the License. - * - * See LICENSE.txt included in this distribution for the specific - * language governing permissions and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at LICENSE.txt. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ - -/* - * Copyright (c) 2021, 2022, Oracle and/or its affiliates. All rights reserved. - */ -package org.opengrok.indexer.history; - -import java.beans.XMLDecoder; -import java.util.ArrayList; -import java.util.Collections; -import java.util.Set; -import java.util.stream.Collectors; - -/** - * Temporary hack to prevent {@link XMLDecoder} to deserialize other than allowed classes. This tries to prevent - * calling of methods on {@link ProcessBuilder} or {@link Runtime} (or similar) which could be used for code execution. - */ -public class AnnotationDataClassLoader extends ClassLoader { - private static final Set allowedClasses = Set.of( - ArrayList.class, - Collections.class, - AnnotationData.class, - AnnotationLine.class, - String.class, - XMLDecoder.class - ).stream().map(java.lang.Class::getName).collect(Collectors.toSet()); - - @Override - public Class loadClass(final String name) throws ClassNotFoundException { - if (!allowedClasses.contains(name)) { - throw new IllegalAccessError(name + " is not allowed to be used in AnnotationData object"); - } - - return getClass().getClassLoader().loadClass(name); - } - -} diff --git a/opengrok-indexer/src/main/java/org/opengrok/indexer/history/HistoryClassLoader.java b/opengrok-indexer/src/main/java/org/opengrok/indexer/history/HistoryClassLoader.java deleted file mode 100644 index 7b72487905d..00000000000 --- a/opengrok-indexer/src/main/java/org/opengrok/indexer/history/HistoryClassLoader.java +++ /dev/null @@ -1,61 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License (the "License"). - * You may not use this file except in compliance with the License. - * - * See LICENSE.txt included in this distribution for the specific - * language governing permissions and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at LICENSE.txt. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ - -/* - * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved. - */ -package org.opengrok.indexer.history; - -import java.beans.XMLDecoder; -import java.util.ArrayList; -import java.util.Collections; -import java.util.Date; -import java.util.HashMap; -import java.util.Set; -import java.util.TreeSet; -import java.util.stream.Collectors; - -/** - * Temporary hack to prevent {@link XMLDecoder} to deserialize other than allowed classes. This tries to prevent - * calling of methods on {@link ProcessBuilder} or {@link Runtime} (or similar) which could be used for code execution. - */ -public class HistoryClassLoader extends ClassLoader { - - private static final Set allowedClasses = Set.of( - ArrayList.class, - Collections.class, - Date.class, - HashMap.class, - History.class, - HistoryEntry.class, - RepositoryInfo.class, - String.class, - TreeSet.class, - XMLDecoder.class - ).stream().map(Class::getName).collect(Collectors.toSet()); - - @Override - public Class loadClass(final String name) throws ClassNotFoundException { - if (!allowedClasses.contains(name)) { - throw new IllegalAccessError(name + " is not allowed to be used in History object"); - } - - return getClass().getClassLoader().loadClass(name); - } -} \ No newline at end of file