packages/xstream
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
xstream/CVE-2020-26217-CVE-2017-9805.patch
hht8 4fca80a521 Fix CVE-2020-26217 CVE-2017-9805
2020-12-12 19:19:59 +08:00

147 lines
6.2 KiB
Diff
Raw Blame History

From 0fec095d534126931c99fd38e9c6d41f5c685c1a Mon Sep 17 00:00:00 2001
From: joehni <joerg.schaible@gmx.de>
Date: Thu, 24 Sep 2020 01:56:49 +0200
Subject: [PATCH] Fix for CVE-2017-9805 CVE-2020-26217
---
.../com/thoughtworks/xstream/XStream.java | 2 +-
.../acceptance/SecurityVulnerabilityTest.java | 118 +++++++++++++-----
2 files changed, 91 insertions(+), 29 deletions(-)
diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
index 81dbf40..692243e 100644
--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
@@ -698,7 +698,7 @@ public class XStream {
}
addPermission(AnyTypePermission.ANY);
- denyTypes(new String[]{"java.beans.EventHandler"});
+ denyTypes(new String[]{"java.beans.EventHandler", "javax.imageio.ImageIO$ContainsFilter"});
denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO});
allowTypeHierarchy(Exception.class);
securityInitialized = false;
diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
index 213f308..309c146 100644
--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013, 2014, 2017, 2018 XStream Committers.
+ * Copyright (C) 2013, 2014, 2017, 2018, 2020 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -11,14 +11,14 @@
package com.thoughtworks.acceptance;
import java.beans.EventHandler;
+import java.util.Iterator;
import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.XStreamException;
import com.thoughtworks.xstream.converters.ConversionException;
-import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
+import com.thoughtworks.xstream.core.JVM;
import com.thoughtworks.xstream.security.AnyTypePermission;
import com.thoughtworks.xstream.security.ForbiddenClassException;
-import com.thoughtworks.xstream.security.ProxyTypePermission;
/**
@@ -32,8 +32,9 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
super.setUp();
BUFFER.setLength(0);
xstream.alias("runnable", Runnable.class);
- xstream.allowTypeHierarchy(Runnable.class);
- xstream.addPermission(ProxyTypePermission.PROXIES);
+ }
+
+ protected void setupSecurity(XStream xstream){
}
public void testCannotInjectEventHandler() {
@@ -58,7 +59,6 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
}
public void testCannotInjectEventHandlerWithUnconfiguredSecurityFramework() {
- xstream = new XStream(createDriver());
xstream.alias("runnable", Runnable.class);
final String xml = ""
+ "<string class='runnable-array'>\n"
@@ -102,6 +102,71 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
assertEquals("Executed!", BUFFER.toString());
}
+ public void testCannotInjectConvertImageIOContainsFilterWithUnconfiguredSecurityFramework() {
+ if (JVM.isVersion(7)) {
+ final String xml = ""
+ + "<string class='javax.imageio.spi.FilterIterator'>\n"
+ + " <iter class='java.util.ArrayList$Itr'>\n"
+ + " <cursor>0</cursor>\n"
+ + " <lastRet>1</lastRet>\n"
+ + " <expectedModCount>1</expectedModCount>\n"
+ + " <outer-class>\n"
+ + " <com.thoughtworks.acceptance.SecurityVulnerabilityTest_-Exec/>\n"
+ + " </outer-class>\n"
+ + " </iter>\n"
+ + " <filter class='javax.imageio.ImageIO$ContainsFilter'>\n"
+ + " <method>\n"
+ + " <class>com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec</class>\n"
+ + " <name>exec</name>\n"
+ + " <parameter-types/>\n"
+ + " </method>\n"
+ + " <name>exec</name>\n"
+ + " </filter>\n"
+ + " <next/>\n"
+ + "</string>";
+
+ try {
+ xstream.fromXML(xml);
+ fail("Thrown " + XStreamException.class.getName() + " expected");
+ } catch (final XStreamException e) {
+ assertTrue(e.getMessage().indexOf("javax.imageio.ImageIO$ContainsFilter") >= 0);
+ }
+ assertEquals(0, BUFFER.length());
+ }
+ }
+
+ public void testExplicitlyConvertImageIOContainsFilter() {
+ if (JVM.isVersion(7)) {
+ final String xml = ""
+ + "<string class='javax.imageio.spi.FilterIterator'>\n"
+ + " <iter class='java.util.ArrayList$Itr'>\n"
+ + " <cursor>0</cursor>\n"
+ + " <lastRet>1</lastRet>\n"
+ + " <expectedModCount>1</expectedModCount>\n"
+ + " <outer-class>\n"
+ + " <com.thoughtworks.acceptance.SecurityVulnerabilityTest_-Exec/>\n"
+ + " </outer-class>\n"
+ + " </iter>\n"
+ + " <filter class='javax.imageio.ImageIO$ContainsFilter'>\n"
+ + " <method>\n"
+ + " <class>com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec</class>\n"
+ + " <name>exec</name>\n"
+ + " <parameter-types/>\n"
+ + " </method>\n"
+ + " <name>exec</name>\n"
+ + " </filter>\n"
+ + " <next/>\n"
+ + "</string>";
+
+ xstream.allowTypes(new String[]{"javax.imageio.ImageIO$ContainsFilter"});
+
+ final Iterator iterator = (Iterator)xstream.fromXML(xml);
+ assertEquals(0, BUFFER.length());
+ iterator.next();
+ assertEquals("Executed!", BUFFER.toString());
+ }
+ }
+
public static class Exec {
public void exec() {
--
2.23.0
Reference in New Issue View Git Blame Copy Permalink