✨ Add compatibility with Java modules #9
Conversation
ryandens
changed the title
…ializaiton for tests
ryandens
force-pushed
the
ryandens/java-module-compatibility
branch
from
1cb7643 to
150e0e4
Compare
| public static String encode(final String s) { | ||
| return Escape.html(s); | ||
| } | ||
|
|
There was a problem hiding this comment.
I can't leave a comment on it, but the createSafeObjectInputStream() from this type I assumed would be in the Java 8 version of this class for the JAR, so that we could use it. This seems like it will be only available in Java 11.
I see a couple solutions, but it seems like we should create a new type, SandboxingObjectInputStream that contains just that particular method, and leave this file as is. That way, everyone can access SandboxingObjectInputStream, and the ObjectInputFilter-related will only be in the 11 binary.
There was a problem hiding this comment.
Oh, I hadn't noticed that, i saw the class name on ObjectInputFilters and just assumed the whole class was a a java 8 thing. I'll fix with the new type
test-apps/hello-world-modules/src/main/java/io/github/pixee/testapp/Main.java
Outdated
Show resolved
Hide resolved
| jacoco | ||
| `jvm-test-suite` | ||
| id("com.netflix.nebula.contacts") version "7.0.1" | ||
| id("com.netflix.nebula.source-jar") version "20.3.0" |
There was a problem hiding this comment.
Mmmhmm. I definitely understand this. Nice!
There was a problem hiding this comment.
haha - just the netflix cocktail of plugins for creating a maven release that passes sonatype validation
…stapp/Main.java Co-authored-by: Arshan Dabirsiaghi <[email protected]>
| * href="https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html">OWASP | ||
| * Cheat Sheet</a>. | ||
| */ | ||
| public final class SafeObjectInputStream { |
There was a problem hiding this comment.
This API now feels pretty clunky:
ObjectInputStream ois = SafeObjectInputStream.createSafeObjectInputStream(is);I feel like it should be one of these:
ObjectInputStream ois = LimitingObjectInputStream.from(is);
ObjectInputStream ois = ObjectInputStreams.disallowDangerousTypes(is);I tried to avoid Safe* as a prefix for everything because although it may be "safe", if the developer doesn't understand how it's making it safe, I think there's less chance of them using it.
See the # Type and method names section in CONTRIBUTING.md.
There was a problem hiding this comment.
👍 I renamed to ObjectInputStreams to better align with ObjectInputFilters, but I want to limit the scope of this PR beyond what's necessary as we're already changing build system, adding multiple test suites, and introducing the multi-release JAR
ryandens
force-pushed
the
ryandens/java-module-compatibility
branch
from
11616e7 to
82333fe
Compare
2 participants
Uh oh!
There was an error while loading. Please reload this page.