From 0fec095d534126931c99fd38e9c6d41f5c685c1a Mon Sep 17 00:00:00 2001 From: joehni Date: Thu, 24 Sep 2020 01:56:49 +0200 Subject: [PATCH] Fix for CVE-2017-9805 CVE-2020-26217 --- .../com/thoughtworks/xstream/XStream.java | 2 +- .../acceptance/SecurityVulnerabilityTest.java | 118 +++++++++++++----- 2 files changed, 91 insertions(+), 29 deletions(-) diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java index 81dbf40..692243e 100644 --- a/xstream/src/java/com/thoughtworks/xstream/XStream.java +++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java @@ -698,7 +698,7 @@ public class XStream { } addPermission(AnyTypePermission.ANY); - denyTypes(new String[]{"java.beans.EventHandler"}); + denyTypes(new String[]{"java.beans.EventHandler", "javax.imageio.ImageIO$ContainsFilter"}); denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO}); allowTypeHierarchy(Exception.class); securityInitialized = false; diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java index 213f308..309c146 100644 --- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java +++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013, 2014, 2017, 2018 XStream Committers. + * Copyright (C) 2013, 2014, 2017, 2018, 2020 XStream Committers. * All rights reserved. * * The software in this package is published under the terms of the BSD @@ -11,14 +11,14 @@ package com.thoughtworks.acceptance; import java.beans.EventHandler; +import java.util.Iterator; import com.thoughtworks.xstream.XStream; import com.thoughtworks.xstream.XStreamException; import com.thoughtworks.xstream.converters.ConversionException; -import com.thoughtworks.xstream.converters.reflection.ReflectionConverter; +import com.thoughtworks.xstream.core.JVM; import com.thoughtworks.xstream.security.AnyTypePermission; import com.thoughtworks.xstream.security.ForbiddenClassException; -import com.thoughtworks.xstream.security.ProxyTypePermission; /** @@ -32,8 +32,9 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest { super.setUp(); BUFFER.setLength(0); xstream.alias("runnable", Runnable.class); - xstream.allowTypeHierarchy(Runnable.class); - xstream.addPermission(ProxyTypePermission.PROXIES); + } + + protected void setupSecurity(XStream xstream){ } public void testCannotInjectEventHandler() { @@ -58,7 +59,6 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest { } public void testCannotInjectEventHandlerWithUnconfiguredSecurityFramework() { - xstream = new XStream(createDriver()); xstream.alias("runnable", Runnable.class); final String xml = "" + "\n" @@ -102,6 +102,71 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest { assertEquals("Executed!", BUFFER.toString()); } + public void testCannotInjectConvertImageIOContainsFilterWithUnconfiguredSecurityFramework() { + if (JVM.isVersion(7)) { + final String xml = "" + + "\n" + + " \n" + + " 0\n" + + " 1\n" + + " 1\n" + + " \n" + + " \n" + + " \n" + + " \n" + + " \n" + + " \n" + + " com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec\n" + + " exec\n" + + " \n" + + " \n" + + " exec\n" + + " \n" + + " \n" + + ""; + + try { + xstream.fromXML(xml); + fail("Thrown " + XStreamException.class.getName() + " expected"); + } catch (final XStreamException e) { + assertTrue(e.getMessage().indexOf("javax.imageio.ImageIO$ContainsFilter") >= 0); + } + assertEquals(0, BUFFER.length()); + } + } + + public void testExplicitlyConvertImageIOContainsFilter() { + if (JVM.isVersion(7)) { + final String xml = "" + + "\n" + + " \n" + + " 0\n" + + " 1\n" + + " 1\n" + + " \n" + + " \n" + + " \n" + + " \n" + + " \n" + + " \n" + + " com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec\n" + + " exec\n" + + " \n" + + " \n" + + " exec\n" + + " \n" + + " \n" + + ""; + + xstream.allowTypes(new String[]{"javax.imageio.ImageIO$ContainsFilter"}); + + final Iterator iterator = (Iterator)xstream.fromXML(xml); + assertEquals(0, BUFFER.length()); + iterator.next(); + assertEquals("Executed!", BUFFER.toString()); + } + } + public static class Exec { public void exec() { -- 2.23.0