124 lines
5.2 KiB
Diff
124 lines
5.2 KiB
Diff
From 376175c482a4914c8d288cf663f978dfb5e55849 Mon Sep 17 00:00:00 2001
|
|
From: Michael Simacek <msimacek@redhat.com>
|
|
Date: Wed, 12 Apr 2017 12:19:21 +0200
|
|
Subject: [PATCH] Prevent deserialization of void
|
|
|
|
---
|
|
.../SunLimitedUnsafeReflectionProvider.java | 22 ++++++++++++--------
|
|
.../xstream/security/PrimitiveTypePermission.java | 5 +++--
|
|
.../acceptance/SecurityVulnerabilityTest.java | 24 +++++++++++++++++++++-
|
|
3 files changed, 39 insertions(+), 12 deletions(-)
|
|
|
|
diff --git a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
|
|
index 2c569ae..491f0d6 100644
|
|
--- a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
|
|
+++ b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
|
|
@@ -1,6 +1,6 @@
|
|
/*
|
|
* Copyright (C) 2004, 2005 Joe Walnes.
|
|
- * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016 XStream Committers.
|
|
+ * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016, 2017 XStream Committers.
|
|
* All rights reserved.
|
|
*
|
|
* Created on 08. January 2014 by Joerg Schaible, factored out from SunUnsafeReflectionProvider
|
|
@@ -78,14 +78,18 @@ public class SunLimitedUnsafeReflectionProvider extends PureJavaReflectionProvid
|
|
throw ex;
|
|
}
|
|
ErrorWritingException ex = null;
|
|
- try {
|
|
- return unsafe.allocateInstance(type);
|
|
- } catch (SecurityException e) {
|
|
- ex = new ObjectAccessException("Cannot construct type", e);
|
|
- } catch (InstantiationException e) {
|
|
- ex = new ConversionException("Cannot construct type", e);
|
|
- } catch (IllegalArgumentException e) {
|
|
- ex = new ObjectAccessException("Cannot construct type", e);
|
|
+ if (type == void.class || type == Void.class) {
|
|
+ ex = new ConversionException("Type void cannot have an instance");
|
|
+ } else {
|
|
+ try {
|
|
+ return unsafe.allocateInstance(type);
|
|
+ } catch (SecurityException e) {
|
|
+ ex = new ObjectAccessException("Cannot construct type", e);
|
|
+ } catch (InstantiationException e) {
|
|
+ ex = new ConversionException("Cannot construct type", e);
|
|
+ } catch (IllegalArgumentException e) {
|
|
+ ex = new ObjectAccessException("Cannot construct type", e);
|
|
+ }
|
|
}
|
|
ex.add("construction-type", type.getName());
|
|
throw ex;
|
|
diff --git a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
|
|
index fb69b95..c3cbad9 100644
|
|
--- a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
|
|
+++ b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
|
|
@@ -1,5 +1,5 @@
|
|
/*
|
|
- * Copyright (C) 2014 XStream Committers.
|
|
+ * Copyright (C) 2014, 2017 XStream Committers.
|
|
* All rights reserved.
|
|
*
|
|
* Created on 09. January 2014 by Joerg Schaible
|
|
@@ -8,8 +8,9 @@ package com.thoughtworks.xstream.security;
|
|
|
|
import com.thoughtworks.xstream.core.util.Primitives;
|
|
|
|
+
|
|
/**
|
|
- * Permission for any primitive type and its boxed counterpart (incl. void).
|
|
+ * Permission for any primitive type and its boxed counterpart (excl. void).
|
|
*
|
|
* @author Jörg Schaible
|
|
* @since 1.4.7
|
|
diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
|
|
index c77b3ce..0180fd7 100644
|
|
--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
|
|
+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
|
|
@@ -1,5 +1,5 @@
|
|
/*
|
|
- * Copyright (C) 2013, 2014 XStream Committers.
|
|
+ * Copyright (C) 2013, 2014, 2017 XStream Committers.
|
|
* All rights reserved.
|
|
*
|
|
* The software in this package is published under the terms of the BSD
|
|
@@ -13,9 +13,12 @@ package com.thoughtworks.acceptance;
|
|
import java.beans.EventHandler;
|
|
|
|
import com.thoughtworks.xstream.XStreamException;
|
|
+import com.thoughtworks.xstream.converters.ConversionException;
|
|
import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
|
|
+import com.thoughtworks.xstream.security.ForbiddenClassException;
|
|
import com.thoughtworks.xstream.security.ProxyTypePermission;
|
|
|
|
+
|
|
/**
|
|
* @author Jörg Schaible
|
|
*/
|
|
@@ -80,4 +83,23 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
|
|
BUFFER.append("Executed!");
|
|
}
|
|
}
|
|
+
|
|
+ public void testDeniedInstanceOfVoid() {
|
|
+ try {
|
|
+ xstream.fromXML("<void/>");
|
|
+ fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
|
|
+ } catch (final ForbiddenClassException e) {
|
|
+ // OK
|
|
+ }
|
|
+ }
|
|
+
|
|
+ public void testAllowedInstanceOfVoid() {
|
|
+ xstream.allowTypes(void.class, Void.class);
|
|
+ try {
|
|
+ xstream.fromXML("<void/>");
|
|
+ fail("Thrown " + ConversionException.class.getName() + " expected");
|
|
+ } catch (final ConversionException e) {
|
|
+ assertEquals("void", e.get("construction-type"));
|
|
+ }
|
|
+ }
|
|
}
|
|
--
|
|
2.9.3
|
|
|