qos-ch · bvahdat · Nov 27, 2023 · Nov 27, 2023 · Nov 27, 2023 · jebeaudet
diff --git a/logback-classic/src/main/java/ch/qos/logback/classic/spi/LoggingEventVO.java b/logback-classic/src/main/java/ch/qos/logback/classic/spi/LoggingEventVO.java
@@ -14,6 +14,7 @@
 package ch.qos.logback.classic.spi;
 
 import java.io.IOException;
+import java.io.InvalidObjectException;
 import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
 import java.io.Serializable;
@@ -25,6 +26,7 @@
 import ch.qos.logback.classic.Level;
 
 // http://www.riehle.org/computer-science/research/1998/ubilab-tr-1998-10-1.html
+// See also the paper https://www.riehle.org/computer-science/research/1998/ubilab-tr-1998-10-1.pdf
 
 /**
  * A read-only and serializable implementation of {@link ILoggingEvent}.
@@ -38,6 +40,7 @@ public class LoggingEventVO implements ILoggingEvent, Serializable {
 
     private static final int NULL_ARGUMENT_ARRAY = -1;
     private static final String NULL_ARGUMENT_ARRAY_ELEMENT = "NULL_ARGUMENT_ARRAY_ELEMENT";
+    private static final int ARGUMENT_ARRAY_DESERIALIZATION_LIMIT = 128;
 
     private String threadName;
     private String loggerName;
@@ -181,6 +184,12 @@ private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundE
         level = Level.toLevel(levelInt);
 
         int argArrayLen = in.readInt();
+
+        // Prevent DOS attacks via large or negative arrays
+        if (argArrayLen < NULL_ARGUMENT_ARRAY || argArrayLen > ARGUMENT_ARRAY_DESERIALIZATION_LIMIT) {
+            throw new InvalidObjectException("Argument array length is invalid: " + argArrayLen);
+        }
+
         if (argArrayLen != NULL_ARGUMENT_ARRAY) {
             argumentArray = new String[argArrayLen];
             for (int i = 0; i < argArrayLen; i++) {

diff --git a/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java b/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java
@@ -20,20 +20,22 @@
  */
 public class HardenedObjectInputStream extends ObjectInputStream {
 
-    final List<String> whitelistedClassNames;
-    final static String[] JAVA_PACKAGES = new String[] { "java.lang", "java.util" };
+    final private List<String> whitelistedClassNames;
+    final private static String[] JAVA_PACKAGES = new String[] { "java.lang", "java.util" };
+    final private static int DEPTH_LIMIT = 16;
+    final private static int ARRAY_LIMIT = 10000;
 
-    public HardenedObjectInputStream(InputStream in, String[] whilelist) throws IOException {
+    public HardenedObjectInputStream(InputStream in, String[] whitelist) throws IOException {
         super(in);
-
         this.whitelistedClassNames = new ArrayList<String>();
-        if (whilelist != null) {
-            for (int i = 0; i < whilelist.length; i++) {
-                this.whitelistedClassNames.add(whilelist[i]);
+        if (whitelist != null) {
+            for (int i = 0; i < whitelist.length; i++) {
+                this.whitelistedClassNames.add(whitelist[i]);
             }
         }
     }
 
+
     public HardenedObjectInputStream(InputStream in, List<String> whitelist) throws IOException {
         super(in);