👌 reane SafeObjectInputStream to ObjectInputStreams

Author: ryandens

src/main/java/io/github/pixee/security/SafeObjectInputStream.java renamed to src/main/java/io/github/pixee/security/ObjectInputStreams.java

@@ -14,12 +14,12 @@
  * href="https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html">OWASP
  * Cheat Sheet</a>.
  */
-public final class SafeObjectInputStream {
+public final class ObjectInputStreams {
 
     /**
      * Private no-op constructor to prevent accidental initialization of this class
      */
-    private SafeObjectInputStream() {}
+    private ObjectInputStreams() {}
 
     /**
      * This method returns a wrapped {@link ObjectInputStream} that protects against deserialization
@@ -29,19 +29,12 @@ private SafeObjectInputStream() {}
      * @return an {@link ObjectInputStream} which is safe against all publicly known gadgets
      * @throws IOException if the underlying creation of {@link ObjectInputStream} fails
      */
-    public static ObjectInputStream createSafeObjectInputStream(final InputStream ois)
+    public static ObjectInputStream createValidatingObjectInputStream(final InputStream ois)
             throws IOException {
-        try {
-            final ValidatingObjectInputStream is = new ValidatingObjectInputStream(ois);
-            for (String gadget : UnwantedTypes.dangerousClassNameTokens()) {
-                is.reject("*" + gadget + "*");
-            }
-            return is;
-        } catch (IOException e) {
-            // ignored
+        final ValidatingObjectInputStream is = new ValidatingObjectInputStream(ois);
+        for (String gadget : UnwantedTypes.dangerousClassNameTokens()) {
+            is.reject("*" + gadget + "*");
         }
-
-        // if for some reason we can't replace it, we'll pass it back as it was given
-        return new ObjectInputStream(ois);
+        return is;
     }
 }

src/test/java/io/github/pixee/security/SafeObjectInputStreamTest.java renamed to src/test/java/io/github/pixee/security/ObjectInputStreamsTest.java

@@ -15,7 +15,7 @@
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.fail;
 
-final class SafeObjectInputStreamTest {
+final class ObjectInputStreamsTest {
 
     private static DiskFileItem gadget; // this is an evil gadget type
     private static byte[] serializedGadget; // this the serialized bytes of that gadget
@@ -41,7 +41,7 @@ static void setup() throws IOException {
     @Test
     void validating_ois_works() throws Exception {
         ObjectInputStream ois =
-                SafeObjectInputStream.createSafeObjectInputStream(new ByteArrayInputStream(serializedGadget));
+                ObjectInputStreams.createValidatingObjectInputStream(new ByteArrayInputStream(serializedGadget));
         assertThrows(
                 InvalidClassException.class,
                 () -> {