!17 update xstream to 1.4.16
From: @jackie_wu123 Reviewed-by: @ultra_planet,@wangchong1995924 Signed-off-by: @wangchong1995924
This commit is contained in:
openeuler-ci-bot
Gitee
commit
205892164c
@ -1,146 +0,0 @@
|
||||
From 0fec095d534126931c99fd38e9c6d41f5c685c1a Mon Sep 17 00:00:00 2001
|
||||
From: joehni <joerg.schaible@gmx.de>
|
||||
Date: Thu, 24 Sep 2020 01:56:49 +0200
|
||||
Subject: [PATCH] Fix for CVE-2017-9805 CVE-2020-26217
|
||||
|
||||
---
|
||||
.../com/thoughtworks/xstream/XStream.java | 2 +-
|
||||
.../acceptance/SecurityVulnerabilityTest.java | 118 +++++++++++++-----
|
||||
2 files changed, 91 insertions(+), 29 deletions(-)
|
||||
|
||||
diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
|
||||
index 81dbf40..692243e 100644
|
||||
--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
|
||||
+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
|
||||
@@ -698,7 +698,7 @@ public class XStream {
|
||||
}
|
||||
|
||||
addPermission(AnyTypePermission.ANY);
|
||||
- denyTypes(new String[]{"java.beans.EventHandler"});
|
||||
+ denyTypes(new String[]{"java.beans.EventHandler", "javax.imageio.ImageIO$ContainsFilter"});
|
||||
denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO});
|
||||
allowTypeHierarchy(Exception.class);
|
||||
securityInitialized = false;
|
||||
diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
|
||||
index 213f308..309c146 100644
|
||||
--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
|
||||
+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (C) 2013, 2014, 2017, 2018 XStream Committers.
|
||||
+ * Copyright (C) 2013, 2014, 2017, 2018, 2020 XStream Committers.
|
||||
* All rights reserved.
|
||||
*
|
||||
* The software in this package is published under the terms of the BSD
|
||||
@@ -11,14 +11,14 @@
|
||||
package com.thoughtworks.acceptance;
|
||||
|
||||
import java.beans.EventHandler;
|
||||
+import java.util.Iterator;
|
||||
|
||||
import com.thoughtworks.xstream.XStream;
|
||||
import com.thoughtworks.xstream.XStreamException;
|
||||
import com.thoughtworks.xstream.converters.ConversionException;
|
||||
-import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
|
||||
+import com.thoughtworks.xstream.core.JVM;
|
||||
import com.thoughtworks.xstream.security.AnyTypePermission;
|
||||
import com.thoughtworks.xstream.security.ForbiddenClassException;
|
||||
-import com.thoughtworks.xstream.security.ProxyTypePermission;
|
||||
|
||||
|
||||
/**
|
||||
@@ -32,8 +32,9 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
|
||||
super.setUp();
|
||||
BUFFER.setLength(0);
|
||||
xstream.alias("runnable", Runnable.class);
|
||||
- xstream.allowTypeHierarchy(Runnable.class);
|
||||
- xstream.addPermission(ProxyTypePermission.PROXIES);
|
||||
+ }
|
||||
+
|
||||
+ protected void setupSecurity(XStream xstream){
|
||||
}
|
||||
|
||||
public void testCannotInjectEventHandler() {
|
||||
@@ -58,7 +59,6 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
|
||||
}
|
||||
|
||||
public void testCannotInjectEventHandlerWithUnconfiguredSecurityFramework() {
|
||||
- xstream = new XStream(createDriver());
|
||||
xstream.alias("runnable", Runnable.class);
|
||||
final String xml = ""
|
||||
+ "<string class='runnable-array'>\n"
|
||||
@@ -102,6 +102,71 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
|
||||
assertEquals("Executed!", BUFFER.toString());
|
||||
}
|
||||
|
||||
+ public void testCannotInjectConvertImageIOContainsFilterWithUnconfiguredSecurityFramework() {
|
||||
+ if (JVM.isVersion(7)) {
|
||||
+ final String xml = ""
|
||||
+ + "<string class='javax.imageio.spi.FilterIterator'>\n"
|
||||
+ + " <iter class='java.util.ArrayList$Itr'>\n"
|
||||
+ + " <cursor>0</cursor>\n"
|
||||
+ + " <lastRet>1</lastRet>\n"
|
||||
+ + " <expectedModCount>1</expectedModCount>\n"
|
||||
+ + " <outer-class>\n"
|
||||
+ + " <com.thoughtworks.acceptance.SecurityVulnerabilityTest_-Exec/>\n"
|
||||
+ + " </outer-class>\n"
|
||||
+ + " </iter>\n"
|
||||
+ + " <filter class='javax.imageio.ImageIO$ContainsFilter'>\n"
|
||||
+ + " <method>\n"
|
||||
+ + " <class>com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec</class>\n"
|
||||
+ + " <name>exec</name>\n"
|
||||
+ + " <parameter-types/>\n"
|
||||
+ + " </method>\n"
|
||||
+ + " <name>exec</name>\n"
|
||||
+ + " </filter>\n"
|
||||
+ + " <next/>\n"
|
||||
+ + "</string>";
|
||||
+
|
||||
+ try {
|
||||
+ xstream.fromXML(xml);
|
||||
+ fail("Thrown " + XStreamException.class.getName() + " expected");
|
||||
+ } catch (final XStreamException e) {
|
||||
+ assertTrue(e.getMessage().indexOf("javax.imageio.ImageIO$ContainsFilter") >= 0);
|
||||
+ }
|
||||
+ assertEquals(0, BUFFER.length());
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ public void testExplicitlyConvertImageIOContainsFilter() {
|
||||
+ if (JVM.isVersion(7)) {
|
||||
+ final String xml = ""
|
||||
+ + "<string class='javax.imageio.spi.FilterIterator'>\n"
|
||||
+ + " <iter class='java.util.ArrayList$Itr'>\n"
|
||||
+ + " <cursor>0</cursor>\n"
|
||||
+ + " <lastRet>1</lastRet>\n"
|
||||
+ + " <expectedModCount>1</expectedModCount>\n"
|
||||
+ + " <outer-class>\n"
|
||||
+ + " <com.thoughtworks.acceptance.SecurityVulnerabilityTest_-Exec/>\n"
|
||||
+ + " </outer-class>\n"
|
||||
+ + " </iter>\n"
|
||||
+ + " <filter class='javax.imageio.ImageIO$ContainsFilter'>\n"
|
||||
+ + " <method>\n"
|
||||
+ + " <class>com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec</class>\n"
|
||||
+ + " <name>exec</name>\n"
|
||||
+ + " <parameter-types/>\n"
|
||||
+ + " </method>\n"
|
||||
+ + " <name>exec</name>\n"
|
||||
+ + " </filter>\n"
|
||||
+ + " <next/>\n"
|
||||
+ + "</string>";
|
||||
+
|
||||
+ xstream.allowTypes(new String[]{"javax.imageio.ImageIO$ContainsFilter"});
|
||||
+
|
||||
+ final Iterator iterator = (Iterator)xstream.fromXML(xml);
|
||||
+ assertEquals(0, BUFFER.length());
|
||||
+ iterator.next();
|
||||
+ assertEquals("Executed!", BUFFER.toString());
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
public static class Exec {
|
||||
|
||||
public void exec() {
|
||||
--
|
||||
2.23.0
|
||||
|
||||
@ -1,25 +0,0 @@
|
||||
From f391169515d77446e94da4836eb65adfbc8acfa2 Mon Sep 17 00:00:00 2001
|
||||
Date: Mon, 11 Jan 2021 17:32:52 +0800
|
||||
Subject: [PATCH] Fix and document CVE-2020-26258.
|
||||
|
||||
|
||||
diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
|
||||
index 692243e..8a4b104 100644
|
||||
--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
|
||||
+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
|
||||
@@ -698,7 +698,11 @@ public class XStream {
|
||||
}
|
||||
|
||||
addPermission(AnyTypePermission.ANY);
|
||||
- denyTypes(new String[]{"java.beans.EventHandler", "javax.imageio.ImageIO$ContainsFilter"});
|
||||
+ denyTypes(new String[]{
|
||||
+ "java.beans.EventHandler", //
|
||||
+ "java.lang.ProcessBuilder", //
|
||||
+ "javax.imageio.ImageIO$ContainsFilter", //
|
||||
+ "jdk.nashorn.internal.objects.NativeString"});
|
||||
denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO});
|
||||
allowTypeHierarchy(Exception.class);
|
||||
securityInitialized = false;
|
||||
--
|
||||
2.23.0
|
||||
|
||||
@ -1,199 +0,0 @@
|
||||
From aacd07da7e2be020ef2924153838c7b0a05b596f Mon Sep 17 00:00:00 2001
|
||||
Date: Mon, 11 Jan 2021 18:00:38 +0800
|
||||
Subject: [PATCH] fix CVE-2020-26259
|
||||
|
||||
|
||||
diff --git a/pom.xml b/pom.xml
|
||||
index e6fc1a1..15ff064 100644
|
||||
--- a/pom.xml
|
||||
+++ b/pom.xml
|
||||
@@ -546,6 +546,11 @@
|
||||
<artifactId>jaxb-api</artifactId>
|
||||
<version>${version.javax.xml.bind.api}</version>
|
||||
</dependency>
|
||||
+ <dependency>
|
||||
+ <groupId>com.sun.xml.ws</groupId>
|
||||
+ <artifactId>jaxws-rt</artifactId>
|
||||
+ <version>${version.javax.xml.ws.jaxws.rt}</version>
|
||||
+ </dependency>
|
||||
|
||||
<dependency>
|
||||
<groupId>org.hibernate</groupId>
|
||||
@@ -905,6 +910,7 @@
|
||||
<version.javax.activation>1.1.1</version.javax.activation>
|
||||
<version.javax.annotation.api>1.3.2</version.javax.annotation.api>
|
||||
<version.javax.xml.bind.api>2.3.1</version.javax.xml.bind.api>
|
||||
+ <version.javax.xml.ws.jaxws.rt>2.2</version.javax.xml.ws.jaxws.rt><!-- Java 5 -->
|
||||
<version.jmock>1.0.1</version.jmock>
|
||||
<version.joda-time>1.6</version.joda-time>
|
||||
<version.junit>3.8.1</version.junit>
|
||||
diff --git a/xstream/pom.xml b/xstream/pom.xml
|
||||
index 525425a..6543ff7 100644
|
||||
--- a/xstream/pom.xml
|
||||
+++ b/xstream/pom.xml
|
||||
@@ -144,6 +144,54 @@
|
||||
<artifactId>commons-lang</artifactId>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
+
|
||||
+ <dependency>
|
||||
+ <groupId>com.sun.xml.ws</groupId>
|
||||
+ <artifactId>jaxws-rt</artifactId>
|
||||
+ <scope>test</scope>
|
||||
+ <exclusions>
|
||||
+ <exclusion>
|
||||
+ <groupId>javax.xml.ws</groupId>
|
||||
+ <artifactId>jaxws-api</artifactId>
|
||||
+ </exclusion>
|
||||
+ <exclusion>
|
||||
+ <groupId>com.sun.istack</groupId>
|
||||
+ <artifactId>istack-commons-runtime</artifactId>
|
||||
+ </exclusion>
|
||||
+ <exclusion>
|
||||
+ <groupId>com.sun.xml.bind</groupId>
|
||||
+ <artifactId>jaxb-impl</artifactId>
|
||||
+ </exclusion>
|
||||
+ <exclusion>
|
||||
+ <groupId>com.sun.xml.messaging.saaj</groupId>
|
||||
+ <artifactId>saaj-impl</artifactId>
|
||||
+ </exclusion>
|
||||
+ <exclusion>
|
||||
+ <groupId>com.sun.xml.stream.buffer</groupId>
|
||||
+ <artifactId>streambuffer</artifactId>
|
||||
+ </exclusion>
|
||||
+ <exclusion>
|
||||
+ <groupId>com.sun.xml.ws</groupId>
|
||||
+ <artifactId>policy</artifactId>
|
||||
+ </exclusion>
|
||||
+ <exclusion>
|
||||
+ <groupId>com.sun.org.apache.xml.internal</groupId>
|
||||
+ <artifactId>resolver</artifactId>
|
||||
+ </exclusion>
|
||||
+ <exclusion>
|
||||
+ <groupId>org.glassfish.gmbal</groupId>
|
||||
+ <artifactId>gmbal-api-only</artifactId>
|
||||
+ </exclusion>
|
||||
+ <exclusion>
|
||||
+ <groupId>org.jvnet</groupId>
|
||||
+ <artifactId>mimepull</artifactId>
|
||||
+ </exclusion>
|
||||
+ <exclusion>
|
||||
+ <groupId>org.jvnet.staxex</groupId>
|
||||
+ <artifactId>stax-ex</artifactId>
|
||||
+ </exclusion>
|
||||
+ </exclusions>
|
||||
+ </dependency>
|
||||
</dependencies>
|
||||
|
||||
<build>
|
||||
diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
|
||||
index 8a4b104..57cf804 100644
|
||||
--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
|
||||
+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
|
||||
@@ -356,6 +356,7 @@ public class XStream {
|
||||
private static final Pattern IGNORE_ALL = Pattern.compile(".*");
|
||||
private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
|
||||
private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
|
||||
+ private static final Pattern JAXWS_FILE_STREAM = Pattern.compile(".*\\.ReadAllStream\\$FileStream");
|
||||
|
||||
/**
|
||||
* Constructs a default XStream.
|
||||
@@ -702,8 +703,8 @@ public class XStream {
|
||||
"java.beans.EventHandler", //
|
||||
"java.lang.ProcessBuilder", //
|
||||
"javax.imageio.ImageIO$ContainsFilter", //
|
||||
- "jdk.nashorn.internal.objects.NativeString"});
|
||||
- denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO});
|
||||
+ "jdk.nashorn.internal.objects.NativeString" });
|
||||
+ denyTypesByRegExp(new Pattern[]{LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM});
|
||||
allowTypeHierarchy(Exception.class);
|
||||
securityInitialized = false;
|
||||
}
|
||||
diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
|
||||
index 309c146..7604aa5 100644
|
||||
--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
|
||||
+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
|
||||
@@ -11,6 +11,11 @@
|
||||
package com.thoughtworks.acceptance;
|
||||
|
||||
import java.beans.EventHandler;
|
||||
+import java.io.File;
|
||||
+import java.io.FileOutputStream;
|
||||
+import java.io.IOException;
|
||||
+import java.io.InputStream;
|
||||
+import java.io.OutputStream;
|
||||
import java.util.Iterator;
|
||||
|
||||
import com.thoughtworks.xstream.XStream;
|
||||
@@ -214,4 +219,68 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
|
||||
// OK
|
||||
}
|
||||
}
|
||||
+
|
||||
+ public void testCannotUseJaxwsInputStreamToDeleteFile() {
|
||||
+ if (JVM.isVersion(5)) {
|
||||
+ final String xml = ""
|
||||
+ + "<is class='com.sun.xml.ws.util.ReadAllStream$FileStream'>\n"
|
||||
+ + " <tempFile>target/junit/test.txt</tempFile>\n"
|
||||
+ + "</is>";
|
||||
+
|
||||
+ xstream.aliasType("is", InputStream.class);
|
||||
+ try {
|
||||
+ xstream.fromXML(xml);
|
||||
+ fail("Thrown " + ConversionException.class.getName() + " expected");
|
||||
+ } catch (final ForbiddenClassException e) {
|
||||
+ // OK
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ public void testExplicitlyUseJaxwsInputStreamToDeleteFile() throws IOException {
|
||||
+ if (JVM.isVersion(5)) {
|
||||
+ final File testDir = new File("target/junit");
|
||||
+ final File testFile = new File(testDir, "test.txt");
|
||||
+ try {
|
||||
+ testDir.mkdirs();
|
||||
+
|
||||
+ final OutputStream out = new FileOutputStream(testFile);
|
||||
+ out.write("JUnit".getBytes());
|
||||
+ out.flush();
|
||||
+ out.close();
|
||||
+
|
||||
+ assertTrue("Test file " + testFile.getPath() + " does not exist.", testFile.exists());
|
||||
+
|
||||
+ final String xml = ""
|
||||
+ + "<is class='com.sun.xml.ws.util.ReadAllStream$FileStream'>\n"
|
||||
+ + " <tempFile>target/junit/test.txt</tempFile>\n"
|
||||
+ + "</is>";
|
||||
+
|
||||
+ xstream.addPermission(AnyTypePermission.ANY); // clear out defaults
|
||||
+ xstream.aliasType("is", InputStream.class);
|
||||
+
|
||||
+ InputStream is = null;
|
||||
+ try {
|
||||
+ is = (InputStream)xstream.fromXML(xml);
|
||||
+ } catch (final ForbiddenClassException e) {
|
||||
+ // OK
|
||||
+ }
|
||||
+
|
||||
+ assertTrue("Test file " + testFile.getPath() + " no longer exists.", testFile.exists());
|
||||
+
|
||||
+ byte[] data = new byte[10];
|
||||
+ is.read(data);
|
||||
+ is.close();
|
||||
+
|
||||
+ assertFalse("Test file " + testFile.getPath() + " still exists exist.", testFile.exists());
|
||||
+ } finally {
|
||||
+ if (testFile.exists()) {
|
||||
+ testFile.delete();
|
||||
+ }
|
||||
+ if (testDir.exists()) {
|
||||
+ testDir.delete();
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
--
|
||||
2.23.0
|
||||
|
||||
@ -1,164 +0,0 @@
|
||||
From 51abe602e09016c8e43e91325a15226022f4da46 Mon Sep 17 00:00:00 2001
|
||||
From: joehni <joerg.schaible@gmx.de>
|
||||
Date: Wed, 2 Sep 2020 00:38:51 +0200
|
||||
Subject: [PATCH] New predefined blacklist avoids vulnerability due to improper
|
||||
setup of the security framework. Closes #207.
|
||||
|
||||
---
|
||||
.../com/thoughtworks/xstream/XStream.java | 37 +++++--------------
|
||||
.../acceptance/SecurityVulnerabilityTest.java | 29 +++++++++++++--
|
||||
2 files changed, 36 insertions(+), 30 deletions(-)
|
||||
|
||||
diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
|
||||
index 4eb2e33a..72e32c6e 100644
|
||||
--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
|
||||
+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Copyright (C) 2003, 2004, 2005, 2006 Joe Walnes.
|
||||
- * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018 XStream Committers.
|
||||
+ * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020 XStream Committers.
|
||||
* All rights reserved.
|
||||
*
|
||||
* The software in this package is published under the terms of the BSD
|
||||
@@ -36,6 +36,7 @@
|
||||
import java.nio.charset.Charset;
|
||||
import java.text.DecimalFormatSymbols;
|
||||
import java.util.ArrayList;
|
||||
+import java.util.Arrays;
|
||||
import java.util.BitSet;
|
||||
import java.util.Calendar;
|
||||
import java.util.Collection;
|
||||
@@ -65,10 +66,8 @@
|
||||
import com.thoughtworks.xstream.converters.ConverterLookup;
|
||||
import com.thoughtworks.xstream.converters.ConverterRegistry;
|
||||
import com.thoughtworks.xstream.converters.DataHolder;
|
||||
-import com.thoughtworks.xstream.converters.MarshallingContext;
|
||||
import com.thoughtworks.xstream.converters.SingleValueConverter;
|
||||
import com.thoughtworks.xstream.converters.SingleValueConverterWrapper;
|
||||
-import com.thoughtworks.xstream.converters.UnmarshallingContext;
|
||||
import com.thoughtworks.xstream.converters.basic.BigDecimalConverter;
|
||||
import com.thoughtworks.xstream.converters.basic.BigIntegerConverter;
|
||||
import com.thoughtworks.xstream.converters.basic.BooleanConverter;
|
||||
@@ -355,6 +354,8 @@
|
||||
|
||||
private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper";
|
||||
private static final Pattern IGNORE_ALL = Pattern.compile(".*");
|
||||
+ private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
|
||||
+ private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
|
||||
|
||||
/**
|
||||
* Constructs a default XStream.
|
||||
@@ -697,6 +698,9 @@ protected void setupSecurity() {
|
||||
}
|
||||
|
||||
addPermission(AnyTypePermission.ANY);
|
||||
+ denyTypes(new String[]{"java.beans.EventHandler"});
|
||||
+ denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO});
|
||||
+ allowTypeHierarchy(Exception.class);
|
||||
securityInitialized = false;
|
||||
}
|
||||
|
||||
@@ -962,7 +966,6 @@ protected void setupConverters() {
|
||||
registerConverter(
|
||||
new SerializableConverter(mapper, reflectionProvider, classLoaderReference), PRIORITY_LOW);
|
||||
registerConverter(new ExternalizableConverter(mapper, classLoaderReference), PRIORITY_LOW);
|
||||
- registerConverter(new InternalBlackList(), PRIORITY_LOW);
|
||||
|
||||
registerConverter(new NullConverter(), PRIORITY_VERY_HIGH);
|
||||
registerConverter(new IntConverter(), PRIORITY_NORMAL);
|
||||
@@ -1482,7 +1485,8 @@ public Object unmarshal(HierarchicalStreamReader reader, Object root, DataHolder
|
||||
try {
|
||||
if (!securityInitialized && !securityWarningGiven) {
|
||||
securityWarningGiven = true;
|
||||
- System.err.println("Security framework of XStream not initialized, XStream is probably vulnerable.");
|
||||
+ System.err
|
||||
+ .println("Security framework of XStream not explicitly initialized, using predefined black list on your own risk.");
|
||||
}
|
||||
return marshallingStrategy.unmarshal(
|
||||
root, reader, dataHolder, converterLookup, mapper);
|
||||
@@ -2360,7 +2364,7 @@ public void autodetectAnnotations(boolean mode) {
|
||||
*/
|
||||
public void addPermission(TypePermission permission) {
|
||||
if (securityMapper != null) {
|
||||
- securityInitialized = true;
|
||||
+ securityInitialized |= permission.equals(NoTypePermission.NONE) || permission.equals(AnyTypePermission.ANY);
|
||||
securityMapper.addPermission(permission);
|
||||
}
|
||||
}
|
||||
@@ -2539,25 +2543,4 @@ public InitializationException(String message) {
|
||||
super(message);
|
||||
}
|
||||
}
|
||||
-
|
||||
- private class InternalBlackList implements Converter {
|
||||
-
|
||||
- public boolean canConvert(final Class type) {
|
||||
- return (type == void.class || type == Void.class)
|
||||
- || (!securityInitialized
|
||||
- && type != null
|
||||
- && (type.getName().equals("java.beans.EventHandler")
|
||||
- || type.getName().endsWith("$LazyIterator")
|
||||
- || type.getName().startsWith("javax.crypto.")));
|
||||
- }
|
||||
-
|
||||
- public void marshal(final Object source, final HierarchicalStreamWriter writer,
|
||||
- final MarshallingContext context) {
|
||||
- throw new ConversionException("Security alert. Marshalling rejected.");
|
||||
- }
|
||||
-
|
||||
- public Object unmarshal(final HierarchicalStreamReader reader, final UnmarshallingContext context) {
|
||||
- throw new ConversionException("Security alert. Unmarshalling rejected.");
|
||||
- }
|
||||
- }
|
||||
}
|
||||
diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
|
||||
index c7d7ebe4..18379276 100644
|
||||
--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
|
||||
+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
|
||||
@@ -16,6 +16,7 @@
|
||||
import com.thoughtworks.xstream.XStreamException;
|
||||
import com.thoughtworks.xstream.converters.ConversionException;
|
||||
import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
|
||||
+import com.thoughtworks.xstream.security.AnyTypePermission;
|
||||
import com.thoughtworks.xstream.security.ForbiddenClassException;
|
||||
import com.thoughtworks.xstream.security.ProxyTypePermission;
|
||||
|
||||
@@ -108,6 +109,15 @@ public void exec() {
|
||||
}
|
||||
}
|
||||
|
||||
+ public void testInstanceOfVoid() {
|
||||
+ try {
|
||||
+ xstream.fromXML("<void/>");
|
||||
+ fail("Thrown " + ConversionException.class.getName() + " expected");
|
||||
+ } catch (final ConversionException e) {
|
||||
+ assertEquals("void", e.get("construction-type"));
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
public void testDeniedInstanceOfVoid() {
|
||||
try {
|
||||
xstream.fromXML("<void/>");
|
||||
@@ -123,7 +133,20 @@ public void testAllowedInstanceOfVoid() {
|
||||
xstream.fromXML("<void/>");
|
||||
fail("Thrown " + ConversionException.class.getName() + " expected");
|
||||
} catch (final ConversionException e) {
|
||||
- assertEquals("void", e.get("required-type"));
|
||||
+ assertEquals("void", e.get("construction-type"));
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ public static class LazyIterator {
|
||||
+ }
|
||||
+
|
||||
+ public void testInstanceOfLazyIterator() {
|
||||
+ xstream.alias("lazy-iterator", LazyIterator.class);
|
||||
+ try {
|
||||
+ xstream.fromXML("<lazy-iterator/>");
|
||||
+ fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
|
||||
+ } catch (final ForbiddenClassException e) {
|
||||
+ // OK
|
||||
}
|
||||
}
|
||||
}
|
||||
13
settings.xml
Normal file
13
settings.xml
Normal file
@ -0,0 +1,13 @@
|
||||
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
|
||||
http://maven.apache.org/xsd/settings-1.0.0.xsd">
|
||||
<mirrors>
|
||||
<mirror>
|
||||
<id>aliyun-central</id>
|
||||
<mirrorOf>*</mirrorOf>
|
||||
<name>aliyun central</name>
|
||||
<url>https://maven.aliyun.com/repository/central</url>
|
||||
</mirror>
|
||||
</mirrors>
|
||||
</settings>
|
||||
Binary file not shown.
27
xstream.spec
27
xstream.spec
@ -1,16 +1,13 @@
|
||||
%bcond_with jp_minimal
|
||||
Name: xstream
|
||||
Version: 1.4.11.1
|
||||
Release: 3
|
||||
Version: 1.4.16
|
||||
Release: 1
|
||||
Summary: Java XML serialization library
|
||||
License: BSD
|
||||
URL: http://x-stream.github.io/
|
||||
BuildArch: noarch
|
||||
Source0: http://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/%{version}/xstream-distribution-%{version}-src.zip
|
||||
Patch0: New-predefined-blacklist-avoids-vulnerability.patch
|
||||
Patch1: CVE-2020-26217-CVE-2017-9805.patch
|
||||
Patch2: CVE-2020-26258.patch
|
||||
Patch3: CVE-2020-26259.patch
|
||||
Source1: settings.xml
|
||||
|
||||
BuildRequires: maven-local mvn(cglib:cglib) mvn(dom4j:dom4j) mvn(javax.xml.bind:jaxb-api)
|
||||
BuildRequires: mvn(joda-time:joda-time) mvn(net.sf.kxml:kxml2-min)
|
||||
@ -19,11 +16,11 @@ BuildRequires: mvn(org.apache.maven.plugins:maven-enforcer-plugin)
|
||||
BuildRequires: mvn(org.codehaus.mojo:build-helper-maven-plugin)
|
||||
BuildRequires: mvn(org.codehaus.woodstox:woodstox-core-asl) mvn(org.jdom:jdom)
|
||||
BuildRequires: mvn(org.jdom:jdom2) mvn(stax:stax) mvn(stax:stax-api) mvn(xpp3:xpp3)
|
||||
BuildRequires: mvn(xpp3:xpp3_min)
|
||||
BuildRequires: mvn(xpp3:xpp3_min) maven
|
||||
%if %{without jp_minimal}
|
||||
BuildRequires: mvn(javassist:javassist) mvn(org.codehaus.jettison:jettison)
|
||||
BuildRequires: mvn(org.hibernate:hibernate-core) mvn(org.hibernate:hibernate-envers)
|
||||
BuildRequires: mvn(org.slf4j:slf4j-simple) mvn(xom:xom)
|
||||
BuildRequires: mvn(org.slf4j:slf4j-simple) mvn(xom:xom) mvn(io.github.x-stream:mxparser)
|
||||
%endif
|
||||
%description
|
||||
XStream is a simple library to serialize objects to XML
|
||||
@ -72,11 +69,8 @@ Parent POM for xstream.
|
||||
|
||||
%prep
|
||||
%setup -qn xstream-%{version}
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
|
||||
sed -i "s/3.2.7/4.0.0/g" pom.xml
|
||||
find . -name "*.class" -print -delete
|
||||
find . -name "*.jar" -print -delete
|
||||
%pom_disable_module xstream-distribution
|
||||
@ -86,11 +80,12 @@ find . -name "*.jar" -print -delete
|
||||
%pom_remove_plugin :maven-eclipse-plugin
|
||||
%pom_remove_plugin :maven-release-plugin
|
||||
%pom_remove_plugin :xsite-maven-plugin
|
||||
%pom_remove_plugin :maven-compiler-plugin
|
||||
%pom_xpath_set "pom:dependency[pom:groupId = 'org.codehaus.woodstox' ]/pom:artifactId" woodstox-core-asl
|
||||
%pom_xpath_set "pom:dependency[pom:groupId = 'org.codehaus.woodstox' ]/pom:artifactId" woodstox-core-asl xstream
|
||||
%pom_xpath_set "pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" cglib
|
||||
%pom_xpath_set "pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" cglib xstream
|
||||
%pom_change_dep :xmlpull xpp3:xpp3:1.1.4c xstream
|
||||
%pom_remove_plugin :maven-antrun-plugin
|
||||
%pom_remove_plugin :maven-dependency-plugin xstream
|
||||
%pom_remove_plugin :maven-javadoc-plugin xstream
|
||||
%pom_remove_dep javax.activation:activation xstream
|
||||
@ -104,6 +99,7 @@ find . -name "*.jar" -print -delete
|
||||
%pom_disable_module xstream-hibernate
|
||||
%pom_remove_dep -r xom:xom
|
||||
%pom_remove_dep -r org.codehaus.jettison:jettison
|
||||
%pom_remove_dep org.codehaus.woodstox:woodstox-core-asl xstream
|
||||
rm xstream/src/java/com/thoughtworks/xstream/io/xml/Xom*
|
||||
rm xstream/src/java/com/thoughtworks/xstream/io/json/Jettison*
|
||||
rm xstream-benchmark/src/java/com/thoughtworks/xstream/tools/benchmark/products/XStreamXom.java
|
||||
@ -111,8 +107,10 @@ rm xstream-benchmark/src/java/com/thoughtworks/xstream/tools/benchmark/products/
|
||||
%mvn_file :xstream xstream/xstream xstream
|
||||
%mvn_file :xstream-benchmark xstream/xstream-benchmark xstream-benchmark
|
||||
%mvn_package :xstream
|
||||
cp -a %{_sourcedir}/settings.xml .
|
||||
|
||||
%build
|
||||
mvn install --settings ./settings.xml -Dmaven.test.skip=true
|
||||
%mvn_build -f -s -- -Dversion.java.source=8
|
||||
|
||||
%install
|
||||
@ -134,6 +132,9 @@ rm xstream-benchmark/src/java/com/thoughtworks/xstream/tools/benchmark/products/
|
||||
%license LICENSE.txt
|
||||
|
||||
%changelog
|
||||
* Tue Mar 30 2021 wutao <wutao61@huawei.com> - 1.4.16-1
|
||||
- update to 1.4.16
|
||||
|
||||
* Mon Jan 11 2021 wangyue<wangyue92@huawei.com>-1.4.11.1-3
|
||||
- Fix CVE-2020-26258 CVE-2020-26259
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user