From 376175c482a4914c8d288cf663f978dfb5e55849 Mon Sep 17 00:00:00 2001
From: Michael Simacek <msimacek@redhat.com>
Date: Wed, 12 Apr 2017 12:19:21 +0200
Subject: [PATCH] Prevent deserialization of void
---
.../SunLimitedUnsafeReflectionProvider.java | 22 ++++++++++++--------
.../xstream/security/PrimitiveTypePermission.java | 5 +++--
.../acceptance/SecurityVulnerabilityTest.java | 24 +++++++++++++++++++++-
3 files changed, 39 insertions(+), 12 deletions(-)
diff --git a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
index 2c569ae..491f0d6 100644
--- a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
+++ b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2004, 2005 Joe Walnes.
- * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016 XStream Committers.
+ * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016, 2017 XStream Committers.
* All rights reserved.
*
* Created on 08. January 2014 by Joerg Schaible, factored out from SunUnsafeReflectionProvider
@@ -78,14 +78,18 @@ public class SunLimitedUnsafeReflectionProvider extends PureJavaReflectionProvid
throw ex;
}
ErrorWritingException ex = null;
- try {
- return unsafe.allocateInstance(type);
- } catch (SecurityException e) {
- ex = new ObjectAccessException("Cannot construct type", e);
- } catch (InstantiationException e) {
- ex = new ConversionException("Cannot construct type", e);
- } catch (IllegalArgumentException e) {
- ex = new ObjectAccessException("Cannot construct type", e);
+ if (type == void.class || type == Void.class) {
+ ex = new ConversionException("Type void cannot have an instance");
+ } else {
+ try {
+ return unsafe.allocateInstance(type);
+ } catch (SecurityException e) {
+ ex = new ObjectAccessException("Cannot construct type", e);
+ } catch (InstantiationException e) {
+ ex = new ConversionException("Cannot construct type", e);
+ } catch (IllegalArgumentException e) {
+ ex = new ObjectAccessException("Cannot construct type", e);
+ }
}
ex.add("construction-type", type.getName());
throw ex;
diff --git a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
index fb69b95..c3cbad9 100644
--- a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
+++ b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014 XStream Committers.
+ * Copyright (C) 2014, 2017 XStream Committers.
* All rights reserved.
*
* Created on 09. January 2014 by Joerg Schaible
@@ -8,8 +8,9 @@ package com.thoughtworks.xstream.security;
import com.thoughtworks.xstream.core.util.Primitives;
+
/**
- * Permission for any primitive type and its boxed counterpart (incl. void).
+ * Permission for any primitive type and its boxed counterpart (excl. void).
*
* @author Jörg Schaible
* @since 1.4.7
diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
index c77b3ce..0180fd7 100644
--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013, 2014 XStream Committers.
+ * Copyright (C) 2013, 2014, 2017 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -13,9 +13,12 @@ package com.thoughtworks.acceptance;
import java.beans.EventHandler;
import com.thoughtworks.xstream.XStreamException;
+import com.thoughtworks.xstream.converters.ConversionException;
import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
+import com.thoughtworks.xstream.security.ForbiddenClassException;
import com.thoughtworks.xstream.security.ProxyTypePermission;
+
/**
* @author Jörg Schaible
*/
@@ -80,4 +83,23 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
BUFFER.append("Executed!");
}
}
+
+ public void testDeniedInstanceOfVoid() {
+ try {
+ xstream.fromXML("<void/>");
+ fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
+ } catch (final ForbiddenClassException e) {
+ // OK
+ }
+ }
+
+ public void testAllowedInstanceOfVoid() {
+ xstream.allowTypes(void.class, Void.class);
+ try {
+ xstream.fromXML("<void/>");
+ fail("Thrown " + ConversionException.class.getName() + " expected");
+ } catch (final ConversionException e) {
+ assertEquals("void", e.get("construction-type"));
+ }
+ }
}
--
2.9.3