From 376175c482a4914c8d288cf663f978dfb5e55849 Mon Sep 17 00:00:00 2001
From: Michael Simacek <msimacek@redhat.com>
Date: Wed, 12 Apr 2017 12:19:21 +0200
Subject: [PATCH] Prevent deserialization of void

---
 .../SunLimitedUnsafeReflectionProvider.java        | 22 ++++++++++++--------
 .../xstream/security/PrimitiveTypePermission.java  |  5 +++--
 .../acceptance/SecurityVulnerabilityTest.java      | 24 +++++++++++++++++++++-
 3 files changed, 39 insertions(+), 12 deletions(-)

diff --git a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
index 2c569ae..491f0d6 100644
--- a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
+++ b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004, 2005 Joe Walnes.
- * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016 XStream Committers.
+ * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016, 2017 XStream Committers.
  * All rights reserved.
  *
  * Created on 08. January 2014 by Joerg Schaible, factored out from SunUnsafeReflectionProvider
@@ -78,14 +78,18 @@ public class SunLimitedUnsafeReflectionProvider extends PureJavaReflectionProvid
             throw ex;
         }
         ErrorWritingException ex = null;
-        try {
-            return unsafe.allocateInstance(type);
-        } catch (SecurityException e) {
-            ex = new ObjectAccessException("Cannot construct type", e);
-        } catch (InstantiationException e) {
-            ex =  new ConversionException("Cannot construct type", e);
-        } catch (IllegalArgumentException e) {
-            ex = new ObjectAccessException("Cannot construct type", e);
+        if (type == void.class || type == Void.class) {
+            ex = new ConversionException("Type void cannot have an instance");
+        } else {
+            try {
+                return unsafe.allocateInstance(type);
+            } catch (SecurityException e) {
+                ex = new ObjectAccessException("Cannot construct type", e);
+            } catch (InstantiationException e) {
+                ex =  new ConversionException("Cannot construct type", e);
+            } catch (IllegalArgumentException e) {
+                ex = new ObjectAccessException("Cannot construct type", e);
+            }
         }
         ex.add("construction-type", type.getName());
         throw ex;
diff --git a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
index fb69b95..c3cbad9 100644
--- a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
+++ b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 XStream Committers.
+ * Copyright (C) 2014, 2017 XStream Committers.
  * All rights reserved.
  *
  * Created on 09. January 2014 by Joerg Schaible
@@ -8,8 +8,9 @@ package com.thoughtworks.xstream.security;
 
 import com.thoughtworks.xstream.core.util.Primitives;
 
+
 /**
- * Permission for any primitive type and its boxed counterpart (incl. void).
+ * Permission for any primitive type and its boxed counterpart (excl. void).
  * 
  * @author J&ouml;rg Schaible
  * @since 1.4.7
diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
index c77b3ce..0180fd7 100644
--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013, 2014 XStream Committers.
+ * Copyright (C) 2013, 2014, 2017 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -13,9 +13,12 @@ package com.thoughtworks.acceptance;
 import java.beans.EventHandler;
 
 import com.thoughtworks.xstream.XStreamException;
+import com.thoughtworks.xstream.converters.ConversionException;
 import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
+import com.thoughtworks.xstream.security.ForbiddenClassException;
 import com.thoughtworks.xstream.security.ProxyTypePermission;
 
+
 /**
  * @author J&ouml;rg Schaible
  */
@@ -80,4 +83,23 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
             BUFFER.append("Executed!");
         }
     }
+
+    public void testDeniedInstanceOfVoid() {
+        try {
+            xstream.fromXML("<void/>");
+            fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
+        } catch (final ForbiddenClassException e) {
+            // OK
+        }
+    }
+
+    public void testAllowedInstanceOfVoid() {
+        xstream.allowTypes(void.class, Void.class);
+        try {
+            xstream.fromXML("<void/>");
+            fail("Thrown " + ConversionException.class.getName() + " expected");
+        } catch (final ConversionException e) {
+            assertEquals("void", e.get("construction-type"));
+        }
+    }
 }
-- 
2.9.3