!5 Fix CVE-2020-26217

From: @hht8 Reviewed-by: @wangchong1995924 Signed-off-by: @wangchong1995924
2021-01-08 15:09:10 +08:00 · 2021-01-08 15:09:10 +08:00 · bb35cf2b03
commit bb35cf2b03
parent dc85afdb7c 4fca80a521
3 changed files with 318 additions and 1 deletions
--- a/CVE-2020-26217-CVE-2017-9805.patch
+++ b/CVE-2020-26217-CVE-2017-9805.patch
@ -0,0 +1,146 @@
 From 0fec095d534126931c99fd38e9c6d41f5c685c1a Mon Sep 17 00:00:00 2001
 From: joehni <joerg.schaible@gmx.de>
 Date: Thu, 24 Sep 2020 01:56:49 +0200
 Subject: [PATCH] Fix for CVE-2017-9805 CVE-2020-26217
 ---
 .../com/thoughtworks/xstream/XStream.java     |   2 +-
 .../acceptance/SecurityVulnerabilityTest.java | 118 +++++++++++++-----
 2 files changed, 91 insertions(+), 29 deletions(-)
 diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
 index 81dbf40..692243e 100644
 --- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
 +++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
@@ -698,7 +698,7 @@ public class XStream {
         }
         addPermission(AnyTypePermission.ANY);
 -        denyTypes(new String[]{"java.beans.EventHandler"});
 +        denyTypes(new String[]{"java.beans.EventHandler", "javax.imageio.ImageIO$ContainsFilter"});
         denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO});
         allowTypeHierarchy(Exception.class);
         securityInitialized = false;
 diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
 index 213f308..309c146 100644
 --- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
 +++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
@@ -1,5 +1,5 @@
 /*
 - * Copyright (C) 2013, 2014, 2017, 2018 XStream Committers.
 + * Copyright (C) 2013, 2014, 2017, 2018, 2020 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -11,14 +11,14 @@
 package com.thoughtworks.acceptance;
 import java.beans.EventHandler;
 +import java.util.Iterator;
 import com.thoughtworks.xstream.XStream;
 import com.thoughtworks.xstream.XStreamException;
 import com.thoughtworks.xstream.converters.ConversionException;
 -import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
 +import com.thoughtworks.xstream.core.JVM;
 import com.thoughtworks.xstream.security.AnyTypePermission;
 import com.thoughtworks.xstream.security.ForbiddenClassException;
 -import com.thoughtworks.xstream.security.ProxyTypePermission;
 /**
@@ -32,8 +32,9 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
         super.setUp();
         BUFFER.setLength(0);
         xstream.alias("runnable", Runnable.class);
 -        xstream.allowTypeHierarchy(Runnable.class);
 -        xstream.addPermission(ProxyTypePermission.PROXIES);
 +    }
 +
 +    protected void setupSecurity(XStream xstream){
     }
     public void testCannotInjectEventHandler() {
@@ -58,7 +59,6 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
     }
     public void testCannotInjectEventHandlerWithUnconfiguredSecurityFramework() {
 -        xstream = new XStream(createDriver());
         xstream.alias("runnable", Runnable.class);
         final String xml = ""
             + "<string class='runnable-array'>\n"
@@ -102,6 +102,71 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
         assertEquals("Executed!", BUFFER.toString());
     }
 +    public void testCannotInjectConvertImageIOContainsFilterWithUnconfiguredSecurityFramework() {
 +        if (JVM.isVersion(7)) {
 +            final String xml = ""
 +                + "<string class='javax.imageio.spi.FilterIterator'>\n"
 +                + " <iter class='java.util.ArrayList$Itr'>\n"
 +                + "   <cursor>0</cursor>\n"
 +                + "   <lastRet>1</lastRet>\n"
 +                + "   <expectedModCount>1</expectedModCount>\n"
 +                + "   <outer-class>\n"
 +                + "     <com.thoughtworks.acceptance.SecurityVulnerabilityTest_-Exec/>\n"
 +                + "   </outer-class>\n"
 +                + " </iter>\n"
 +                + " <filter class='javax.imageio.ImageIO$ContainsFilter'>\n"
 +                + "   <method>\n"
 +                + "     <class>com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec</class>\n"
 +                + "     <name>exec</name>\n"
 +                + "     <parameter-types/>\n"
 +                + "   </method>\n"
 +                + "   <name>exec</name>\n"
 +                + " </filter>\n"
 +                + " <next/>\n"
 +                + "</string>";
 +    
 +            try {
 +                xstream.fromXML(xml);
 +                fail("Thrown " + XStreamException.class.getName() + " expected");
 +            } catch (final XStreamException e) {
 +                assertTrue(e.getMessage().indexOf("javax.imageio.ImageIO$ContainsFilter") >= 0);
 +            }
 +            assertEquals(0, BUFFER.length());
 +        }
 +    }
 +    
 +    public void testExplicitlyConvertImageIOContainsFilter() {
 +        if (JVM.isVersion(7)) {
 +            final String xml = ""
 +                + "<string class='javax.imageio.spi.FilterIterator'>\n"
 +                + " <iter class='java.util.ArrayList$Itr'>\n"
 +                + "   <cursor>0</cursor>\n"
 +                + "   <lastRet>1</lastRet>\n"
 +                + "   <expectedModCount>1</expectedModCount>\n"
 +                + "   <outer-class>\n"
 +                + "     <com.thoughtworks.acceptance.SecurityVulnerabilityTest_-Exec/>\n"
 +                + "   </outer-class>\n"
 +                + " </iter>\n"
 +                + " <filter class='javax.imageio.ImageIO$ContainsFilter'>\n"
 +                + "   <method>\n"
 +                + "     <class>com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec</class>\n"
 +                + "     <name>exec</name>\n"
 +                + "     <parameter-types/>\n"
 +                + "   </method>\n"
 +                + "   <name>exec</name>\n"
 +                + " </filter>\n"
 +                + " <next/>\n"
 +                + "</string>";
 +    
 +            xstream.allowTypes(new String[]{"javax.imageio.ImageIO$ContainsFilter"});
 +    
 +            final Iterator iterator = (Iterator)xstream.fromXML(xml);
 +            assertEquals(0, BUFFER.length());
 +            iterator.next();
 +            assertEquals("Executed!", BUFFER.toString());
 +        }
 +    }
 +
     public static class Exec {
         public void exec() {
 -- 
 2.23.0
--- a/New-predefined-blacklist-avoids-vulnerability.patch
+++ b/New-predefined-blacklist-avoids-vulnerability.patch
@ -0,0 +1,164 @@
 From 51abe602e09016c8e43e91325a15226022f4da46 Mon Sep 17 00:00:00 2001
 From: joehni <joerg.schaible@gmx.de>
 Date: Wed, 2 Sep 2020 00:38:51 +0200
 Subject: [PATCH] New predefined blacklist avoids vulnerability due to improper
 setup of the security framework. Closes #207.
 ---
 .../com/thoughtworks/xstream/XStream.java     | 37 +++++--------------
 .../acceptance/SecurityVulnerabilityTest.java | 29 +++++++++++++--
 2 files changed, 36 insertions(+), 30 deletions(-)
 diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
 index 4eb2e33a..72e32c6e 100644
 --- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
 +++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2003, 2004, 2005, 2006 Joe Walnes.
 - * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018 XStream Committers.
 + * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -36,6 +36,7 @@
 import java.nio.charset.Charset;
 import java.text.DecimalFormatSymbols;
 import java.util.ArrayList;
 +import java.util.Arrays;
 import java.util.BitSet;
 import java.util.Calendar;
 import java.util.Collection;
@@ -65,10 +66,8 @@
 import com.thoughtworks.xstream.converters.ConverterLookup;
 import com.thoughtworks.xstream.converters.ConverterRegistry;
 import com.thoughtworks.xstream.converters.DataHolder;
 -import com.thoughtworks.xstream.converters.MarshallingContext;
 import com.thoughtworks.xstream.converters.SingleValueConverter;
 import com.thoughtworks.xstream.converters.SingleValueConverterWrapper;
 -import com.thoughtworks.xstream.converters.UnmarshallingContext;
 import com.thoughtworks.xstream.converters.basic.BigDecimalConverter;
 import com.thoughtworks.xstream.converters.basic.BigIntegerConverter;
 import com.thoughtworks.xstream.converters.basic.BooleanConverter;
@@ -355,6 +354,8 @@
     private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper";
     private static final Pattern IGNORE_ALL = Pattern.compile(".*");
 +    private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
 +    private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
     /**
      * Constructs a default XStream.
@@ -697,6 +698,9 @@ protected void setupSecurity() {
         }
         addPermission(AnyTypePermission.ANY);
 +        denyTypes(new String[]{"java.beans.EventHandler"});
 +        denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO});
 +        allowTypeHierarchy(Exception.class);
         securityInitialized = false;
     }
@@ -962,7 +966,6 @@ protected void setupConverters() {
         registerConverter(
             new SerializableConverter(mapper, reflectionProvider, classLoaderReference), PRIORITY_LOW);
         registerConverter(new ExternalizableConverter(mapper, classLoaderReference), PRIORITY_LOW);
 -        registerConverter(new InternalBlackList(), PRIORITY_LOW);
         registerConverter(new NullConverter(), PRIORITY_VERY_HIGH);
         registerConverter(new IntConverter(), PRIORITY_NORMAL);
@@ -1482,7 +1485,8 @@ public Object unmarshal(HierarchicalStreamReader reader, Object root, DataHolder
         try {
             if (!securityInitialized && !securityWarningGiven) {
                 securityWarningGiven = true;
 -                System.err.println("Security framework of XStream not initialized, XStream is probably vulnerable.");
 +                System.err
 +                    .println("Security framework of XStream not explicitly initialized, using predefined black list on your own risk.");
             }
             return marshallingStrategy.unmarshal(
                 root, reader, dataHolder, converterLookup, mapper);
@@ -2360,7 +2364,7 @@ public void autodetectAnnotations(boolean mode) {
      */
     public void addPermission(TypePermission permission) {
         if (securityMapper != null) {
 -            securityInitialized = true;
 +            securityInitialized |= permission.equals(NoTypePermission.NONE) || permission.equals(AnyTypePermission.ANY);
             securityMapper.addPermission(permission);
         }
     }
@@ -2539,25 +2543,4 @@ public InitializationException(String message) {
             super(message);
         }
     }
 -
 -    private class InternalBlackList implements Converter {
 -
 -        public boolean canConvert(final Class type) {
 -            return (type == void.class || type == Void.class)
 -                || (!securityInitialized
 -                    && type != null
 -                    && (type.getName().equals("java.beans.EventHandler")
 -                        || type.getName().endsWith("$LazyIterator")
 -                        || type.getName().startsWith("javax.crypto.")));
 -        }
 -
 -        public void marshal(final Object source, final HierarchicalStreamWriter writer,
 -                final MarshallingContext context) {
 -            throw new ConversionException("Security alert. Marshalling rejected.");
 -        }
 -
 -        public Object unmarshal(final HierarchicalStreamReader reader, final UnmarshallingContext context) {
 -            throw new ConversionException("Security alert. Unmarshalling rejected.");
 -        }
 -    }
 }
 diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
 index c7d7ebe4..18379276 100644
 --- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
 +++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
@@ -16,6 +16,7 @@
 import com.thoughtworks.xstream.XStreamException;
 import com.thoughtworks.xstream.converters.ConversionException;
 import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
 +import com.thoughtworks.xstream.security.AnyTypePermission;
 import com.thoughtworks.xstream.security.ForbiddenClassException;
 import com.thoughtworks.xstream.security.ProxyTypePermission;
@@ -108,6 +109,15 @@ public void exec() {
         }
     }
 +    public void testInstanceOfVoid() {
 +        try {
 +            xstream.fromXML("<void/>");
 +            fail("Thrown " + ConversionException.class.getName() + " expected");
 +        } catch (final ConversionException e) {
 +            assertEquals("void", e.get("construction-type"));
 +        }
 +    }
 +
     public void testDeniedInstanceOfVoid() {
         try {
             xstream.fromXML("<void/>");
@@ -123,7 +133,20 @@ public void testAllowedInstanceOfVoid() {
             xstream.fromXML("<void/>");
             fail("Thrown " + ConversionException.class.getName() + " expected");
         } catch (final ConversionException e) {
 -            assertEquals("void", e.get("required-type"));
 +            assertEquals("void", e.get("construction-type"));
 +        }
 +    }
 +    
 +    public static class LazyIterator {
 +    }
 +
 +    public void testInstanceOfLazyIterator() {
 +        xstream.alias("lazy-iterator", LazyIterator.class);
 +        try {
 +            xstream.fromXML("<lazy-iterator/>");
 +            fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
 +        } catch (final ForbiddenClassException e) {
 +            // OK
         }
     }
 }
--- a/xstream.spec
+++ b/xstream.spec
@ -1,12 +1,14 @@
 %bcond_with jp_minimal
 Name:                xstream
 Version:             1.4.11.1
-Release:             1
+Release:             2
 Summary:             Java XML serialization library
 License:             BSD
 URL:                 http://x-stream.github.io/
 BuildArch:           noarch
 Source0:             http://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/%{version}/xstream-distribution-%{version}-src.zip
 Patch0:              New-predefined-blacklist-avoids-vulnerability.patch
 Patch1:              CVE-2020-26217-CVE-2017-9805.patch 
 BuildRequires:       maven-local mvn(cglib:cglib) mvn(dom4j:dom4j) mvn(javax.xml.bind:jaxb-api)
 BuildRequires:       mvn(joda-time:joda-time) mvn(net.sf.kxml:kxml2-min)
 BuildRequires:       mvn(org.apache.felix:maven-bundle-plugin)
@ -67,6 +69,8 @@ Parent POM for xstream.
 %prep
 %setup -qn xstream-%{version}
 %patch0 -p1
 %patch1 -p1
 find . -name "*.class" -print -delete
 find . -name "*.jar" -print -delete
 %pom_disable_module xstream-distribution
@ -124,6 +128,9 @@ rm xstream-benchmark/src/java/com/thoughtworks/xstream/tools/benchmark/products/
 %license LICENSE.txt
 %changelog
 * Sat Dec 12 2020 huanghaitao <huanghaitao8@huawei.com> - 1.4.11.1-2
 - Fix CVE-2020-26217 CVE-2017-9805
 * Fri Aug 14 2020 yaokai <yaokai13@huawei.com> - 1.4.11.1-1
 - upgrade to 1.4.11.1-1