From: Markus Koschany Date: Sat, 2 Oct 2021 13:25:35 +0200 Subject: enable-security-whitelist-by-default --- .../src/java/com/thoughtworks/xstream/XStream.java | 180 ++++++++++----------- 1 file changed, 84 insertions(+), 96 deletions(-) diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java index 8415da2..d5633eb 100644 --- a/xstream/src/java/com/thoughtworks/xstream/XStream.java +++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java @@ -642,113 +642,101 @@ public class XStream { return; } - addPermission(AnyTypePermission.ANY); - denyTypes(new String[]{ - "java.beans.EventHandler", // - "java.lang.ProcessBuilder", // - "javax.imageio.ImageIO$ContainsFilter", // - "jdk.nashorn.internal.objects.NativeString" }); - denyTypesByRegExp(new Pattern[]{LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM}); - allowTypeHierarchy(Exception.class); - securityInitialized = false; + addPermission(NoTypePermission.NONE); + addPermission(NullPermission.NULL); + addPermission(PrimitiveTypePermission.PRIMITIVES); + addPermission(ArrayTypePermission.ARRAYS); + addPermission(InterfaceTypePermission.INTERFACES); + allowTypeHierarchy(Calendar.class); + allowTypeHierarchy(Collection.class); + allowTypeHierarchy(Map.class); + allowTypeHierarchy(Map.Entry.class); + allowTypeHierarchy(Member.class); + allowTypeHierarchy(Number.class); + allowTypeHierarchy(Throwable.class); + allowTypeHierarchy(TimeZone.class); + + Class type = JVM.loadClassForName("java.lang.Enum"); + if (type != null) { + allowTypeHierarchy(type); + } + type = JVM.loadClassForName("java.nio.file.Path"); + if (type != null) { + allowTypeHierarchy(type); + } + + final Set types = new HashSet(); + types.add(BitSet.class); + types.add(Charset.class); + types.add(Class.class); + types.add(Currency.class); + types.add(Date.class); + types.add(DecimalFormatSymbols.class); + types.add(File.class); + types.add(Locale.class); + types.add(Object.class); + types.add(Pattern.class); + types.add(StackTraceElement.class); + types.add(String.class); + types.add(StringBuffer.class); + types.add(JVM.loadClassForName("java.lang.StringBuilder")); + types.add(URL.class); + types.add(URI.class); + types.add(JVM.loadClassForName("java.util.UUID")); + if (JVM.isSQLAvailable()) { + types.add(JVM.loadClassForName("java.sql.Timestamp")); + types.add(JVM.loadClassForName("java.sql.Time")); + types.add(JVM.loadClassForName("java.sql.Date")); + } + if (JVM.isVersion(8)) { + allowTypeHierarchy(JVM.loadClassForName("java.time.Clock")); + types.add(JVM.loadClassForName("java.time.Duration")); + types.add(JVM.loadClassForName("java.time.Instant")); + types.add(JVM.loadClassForName("java.time.LocalDate")); + types.add(JVM.loadClassForName("java.time.LocalDateTime")); + types.add(JVM.loadClassForName("java.time.LocalTime")); + types.add(JVM.loadClassForName("java.time.MonthDay")); + types.add(JVM.loadClassForName("java.time.OffsetDateTime")); + types.add(JVM.loadClassForName("java.time.OffsetTime")); + types.add(JVM.loadClassForName("java.time.Period")); + types.add(JVM.loadClassForName("java.time.Ser")); + types.add(JVM.loadClassForName("java.time.Year")); + types.add(JVM.loadClassForName("java.time.YearMonth")); + types.add(JVM.loadClassForName("java.time.ZonedDateTime")); + allowTypeHierarchy(JVM.loadClassForName("java.time.ZoneId")); + types.add(JVM.loadClassForName("java.time.chrono.HijrahDate")); + types.add(JVM.loadClassForName("java.time.chrono.JapaneseDate")); + types.add(JVM.loadClassForName("java.time.chrono.JapaneseEra")); + types.add(JVM.loadClassForName("java.time.chrono.MinguoDate")); + types.add(JVM.loadClassForName("java.time.chrono.ThaiBuddhistDate")); + types.add(JVM.loadClassForName("java.time.chrono.Ser")); + allowTypeHierarchy(JVM.loadClassForName("java.time.chrono.Chronology")); + types.add(JVM.loadClassForName("java.time.temporal.ValueRange")); + types.add(JVM.loadClassForName("java.time.temporal.WeekFields")); + } + types.remove(null); + + final Iterator iter = types.iterator(); + final Class[] classes = new Class[types.size()]; + for (int i = 0; i < classes.length; ++i) { + classes[i] = (Class)iter.next(); + } + allowTypes(classes); + } /** * Setup the security framework of a XStream instance. *

- * This method is a pure helper method for XStream 1.4.x. It initializes an XStream instance with a white list of - * well-known and simply types of the Java runtime as it is done in XStream 1.5.x by default. This method will do - * therefore nothing in XStream 1.5. + * This method was a pure helper method for XStream 1.4.10 to 1.4.17. It initialized an XStream instance with a + * whitelist of well-known and simply types of the Java runtime as it is done in XStream 1.4.11 by default. This + * method will do therefore nothing in XStream 1.4.11 or higher. *

* * @param xstream * @since 1.4.10 */ public static void setupDefaultSecurity(final XStream xstream) { - if (!xstream.securityInitialized) { - xstream.addPermission(NoTypePermission.NONE); - xstream.addPermission(NullPermission.NULL); - xstream.addPermission(PrimitiveTypePermission.PRIMITIVES); - xstream.addPermission(ArrayTypePermission.ARRAYS); - xstream.addPermission(InterfaceTypePermission.INTERFACES); - xstream.allowTypeHierarchy(Calendar.class); - xstream.allowTypeHierarchy(Collection.class); - xstream.allowTypeHierarchy(Map.class); - xstream.allowTypeHierarchy(Map.Entry.class); - xstream.allowTypeHierarchy(Member.class); - xstream.allowTypeHierarchy(Number.class); - xstream.allowTypeHierarchy(Throwable.class); - xstream.allowTypeHierarchy(TimeZone.class); - - Class type = JVM.loadClassForName("java.lang.Enum"); - if (type != null) { - xstream.allowTypeHierarchy(type); - } - type = JVM.loadClassForName("java.nio.file.Path"); - if (type != null) { - xstream.allowTypeHierarchy(type); - } - - final Set types = new HashSet(); - types.add(BitSet.class); - types.add(Charset.class); - types.add(Class.class); - types.add(Currency.class); - types.add(Date.class); - types.add(DecimalFormatSymbols.class); - types.add(File.class); - types.add(Locale.class); - types.add(Object.class); - types.add(Pattern.class); - types.add(StackTraceElement.class); - types.add(String.class); - types.add(StringBuffer.class); - types.add(JVM.loadClassForName("java.lang.StringBuilder")); - types.add(URL.class); - types.add(URI.class); - types.add(JVM.loadClassForName("java.util.UUID")); - if (JVM.isSQLAvailable()) { - types.add(JVM.loadClassForName("java.sql.Timestamp")); - types.add(JVM.loadClassForName("java.sql.Time")); - types.add(JVM.loadClassForName("java.sql.Date")); - } - if (JVM.isVersion(8)) { - xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.Clock")); - types.add(JVM.loadClassForName("java.time.Duration")); - types.add(JVM.loadClassForName("java.time.Instant")); - types.add(JVM.loadClassForName("java.time.LocalDate")); - types.add(JVM.loadClassForName("java.time.LocalDateTime")); - types.add(JVM.loadClassForName("java.time.LocalTime")); - types.add(JVM.loadClassForName("java.time.MonthDay")); - types.add(JVM.loadClassForName("java.time.OffsetDateTime")); - types.add(JVM.loadClassForName("java.time.OffsetTime")); - types.add(JVM.loadClassForName("java.time.Period")); - types.add(JVM.loadClassForName("java.time.Ser")); - types.add(JVM.loadClassForName("java.time.Year")); - types.add(JVM.loadClassForName("java.time.YearMonth")); - types.add(JVM.loadClassForName("java.time.ZonedDateTime")); - xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.ZoneId")); - types.add(JVM.loadClassForName("java.time.chrono.HijrahDate")); - types.add(JVM.loadClassForName("java.time.chrono.JapaneseDate")); - types.add(JVM.loadClassForName("java.time.chrono.JapaneseEra")); - types.add(JVM.loadClassForName("java.time.chrono.MinguoDate")); - types.add(JVM.loadClassForName("java.time.chrono.ThaiBuddhistDate")); - types.add(JVM.loadClassForName("java.time.chrono.Ser")); - xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.chrono.Chronology")); - types.add(JVM.loadClassForName("java.time.temporal.ValueRange")); - types.add(JVM.loadClassForName("java.time.temporal.WeekFields")); - } - types.remove(null); - - final Iterator iter = types.iterator(); - final Class[] classes = new Class[types.size()]; - for (int i = 0; i < classes.length; ++i) { - classes[i] = (Class)iter.next(); - } - xstream.allowTypes(classes); - } else { - throw new IllegalArgumentException("Security framework of XStream instance already initialized"); - } } protected void setupAliases() {