Examples with WildcardTypePermission com.thoughtworks.xstream.security.WildcardTypePermission used on opensource projects

Search in sources :

Example 1 with WildcardTypePermission

use of com.thoughtworks.xstream.security.WildcardTypePermission in project camel by apache.

the class XStreamUtils method addPermissions.

public static void addPermissions(XStream xstream, String permissions) {
    for (String pterm : permissions.split(",")) {
        boolean aod;
        pterm = pterm.trim();
        if (pterm.startsWith("-")) {
            aod = false;
            pterm = pterm.substring(1);
        } else {
            aod = true;
            if (pterm.startsWith("+")) {
                pterm = pterm.substring(1);
            }
        }
        TypePermission typePermission = null;
        if ("*".equals(pterm)) {
            // accept or deny any
            typePermission = AnyTypePermission.ANY;
        } else if (pterm.indexOf('*') < 0) {
            // exact type
            typePermission = new ExplicitTypePermission(new String[] { pterm });
        } else if (pterm.length() > 0) {
            // wildcard type
            typePermission = new WildcardTypePermission(new String[] { pterm });
        }
        if (typePermission != null) {
            if (aod) {
                xstream.addPermission(typePermission);
            } else {
                xstream.denyPermission(typePermission);
            }
        }
    }
}
Also used : AnyTypePermission(com.thoughtworks.xstream.security.AnyTypePermission) TypePermission(com.thoughtworks.xstream.security.TypePermission) WildcardTypePermission(com.thoughtworks.xstream.security.WildcardTypePermission) ExplicitTypePermission(com.thoughtworks.xstream.security.ExplicitTypePermission) WildcardTypePermission(com.thoughtworks.xstream.security.WildcardTypePermission) ExplicitTypePermission(com.thoughtworks.xstream.security.ExplicitTypePermission)

Example 2 with WildcardTypePermission

use of com.thoughtworks.xstream.security.WildcardTypePermission in project jgnash by ccavanaugh.

the class AbstractXStreamContainer method configureXStream.

static XStream configureXStream(final XStreamJVM9 xstream) {
    // configure XStream security
    xstream.addPermission(NoTypePermission.NONE);
    xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
    xstream.addPermission(ArrayTypePermission.ARRAYS);
    xstream.addPermission(new WildcardTypePermission(new String[] { "java.**", "jgnash.engine.**" }));
    // gracefully ignore fields in the file that do not have object members
    xstream.ignoreUnknownElements();
    xstream.setMode(XStream.ID_REFERENCES);
    // use date instead of local-date by default
    xstream.alias("date", LocalDate.class);
    xstream.alias("Decimal", BigDecimal.class);
    xstream.alias("Account", Account.class);
    xstream.alias("RootAccount", RootAccount.class);
    xstream.alias("Budget", Budget.class);
    xstream.alias("BudgetGoal", BudgetGoal.class);
    xstream.alias("Config", Config.class);
    xstream.alias("CurrencyNode", CurrencyNode.class);
    xstream.alias("ExchangeRate", ExchangeRate.class);
    xstream.alias("ExchangeRateHistoryNode", ExchangeRateHistoryNode.class);
    xstream.alias("InvestmentTransaction", InvestmentTransaction.class);
    xstream.alias("BudgetPeriod", Period.class);
    xstream.alias("SecurityNode", SecurityNode.class);
    xstream.alias("SecurityHistoryNode", SecurityHistoryNode.class);
    xstream.alias("SecurityHistoryEvent", SecurityHistoryEvent.class);
    xstream.alias("Tag", Tag.class);
    xstream.alias("Transaction", Transaction.class);
    xstream.alias("TransactionEntry", TransactionEntry.class);
    xstream.alias("TransactionEntryAddX", TransactionEntryAddX.class);
    xstream.alias("TransactionEntryBuyX", TransactionEntryBuyX.class);
    xstream.alias("TransactionEntryDividendX", TransactionEntryDividendX.class);
    xstream.alias("TransactionEntryMergeX", TransactionEntryMergeX.class);
    xstream.alias("TransactionEntryReinvestDivX", TransactionEntryReinvestDivX.class);
    xstream.alias("TransactionEntryRemoveX", TransactionEntryRemoveX.class);
    xstream.alias("TransactionEntrySellX", TransactionEntrySellX.class);
    xstream.alias("TransactionEntrySplitX", TransactionEntrySplitX.class);
    xstream.useAttributeFor(Account.class, "placeHolder");
    xstream.useAttributeFor(Account.class, "locked");
    xstream.useAttributeFor(Account.class, "visible");
    xstream.useAttributeFor(Account.class, "name");
    xstream.useAttributeFor(Account.class, DESCRIPTION);
    xstream.useAttributeFor(Budget.class, DESCRIPTION);
    xstream.useAttributeFor(Budget.class, "name");
    xstream.useAttributeFor(Budget.class, "roundingScale");
    xstream.useAttributeFor(Budget.class, "roundingMode");
    xstream.useAttributeFor(Budget.class, "startMonth");
    xstream.useAttributeFor(CommodityNode.class, "symbol");
    xstream.useAttributeFor(CommodityNode.class, "scale");
    xstream.useAttributeFor(CommodityNode.class, "prefix");
    xstream.useAttributeFor(CommodityNode.class, "suffix");
    xstream.useAttributeFor(CommodityNode.class, DESCRIPTION);
    xstream.useAttributeFor(SecurityHistoryNode.class, "date");
    xstream.useAttributeFor(SecurityHistoryNode.class, "price");
    xstream.useAttributeFor(SecurityHistoryNode.class, "high");
    xstream.useAttributeFor(SecurityHistoryNode.class, "low");
    xstream.useAttributeFor(SecurityHistoryNode.class, "volume");
    xstream.useAttributeFor(SecurityHistoryEvent.class, "date");
    xstream.useAttributeFor(SecurityHistoryEvent.class, "type");
    xstream.useAttributeFor(SecurityHistoryEvent.class, "value");
    xstream.useAttributeFor(StoredObject.class, "uuid");
    xstream.useAttributeFor(Tag.class, "name");
    xstream.useAttributeFor(Tag.class, "color");
    xstream.useAttributeFor(Tag.class, "unicode");
    xstream.omitField(StoredObject.class, "markedForRemoval");
    // Ignore fields required for JPA
    xstream.omitField(StoredObject.class, "version");
    xstream.omitField(AmortizeObject.class, "id");
    xstream.omitField(BudgetGoal.class, "id");
    xstream.omitField(TransactionEntry.class, "id");
    xstream.omitField(ExchangeRateHistoryNode.class, "id");
    xstream.omitField(SecurityHistoryNode.class, "id");
    xstream.omitField(SecurityHistoryEvent.class, "id");
    // Filters out the hibernate
    xstream.registerConverter(new HibernateProxyConverter());
    xstream.registerConverter(new HibernatePersistentCollectionConverter(xstream.getMapper()));
    xstream.registerConverter(new HibernatePersistentMapConverter(xstream.getMapper()));
    return xstream;
}
Also used : HibernatePersistentCollectionConverter(com.thoughtworks.xstream.hibernate.converter.HibernatePersistentCollectionConverter) WildcardTypePermission(com.thoughtworks.xstream.security.WildcardTypePermission) HibernatePersistentMapConverter(com.thoughtworks.xstream.hibernate.converter.HibernatePersistentMapConverter) HibernateProxyConverter(com.thoughtworks.xstream.hibernate.converter.HibernateProxyConverter)

Example 3 with WildcardTypePermission

use of com.thoughtworks.xstream.security.WildcardTypePermission in project drools by kiegroup.

the class XStreamUtils method internalCreateXStream.

/**
 * Vulnerable to CVE-210137285 variants. Do not use. Will be removed in the next few days!
 * @deprecated in favor of {@link #createTrustingXStream()} and {@link #createNonTrustingXStream()}
 */
@Deprecated
private static XStream internalCreateXStream(XStream xstream) {
    setupDefaultSecurity(xstream);
    xstream.addPermission(new WildcardTypePermission(new String[] { "java.**", "javax.**", "org.kie.**", "org.drools.**", "org.jbpm.**", "org.optaplanner.**", "org.appformer.**" }));
    return xstream;
}
Also used : WildcardTypePermission(com.thoughtworks.xstream.security.WildcardTypePermission)

Example 4 with WildcardTypePermission

use of com.thoughtworks.xstream.security.WildcardTypePermission in project camel by apache.

the class AbstractXStreamWrapper method addPermissions.

private static void addPermissions(XStream xstream, String permissions) {
    for (String pterm : permissions.split(",")) {
        boolean aod;
        pterm = pterm.trim();
        if (pterm.startsWith("-")) {
            aod = false;
            pterm = pterm.substring(1);
        } else {
            aod = true;
            if (pterm.startsWith("+")) {
                pterm = pterm.substring(1);
            }
        }
        TypePermission typePermission = null;
        if ("*".equals(pterm)) {
            // accept or deny any
            typePermission = AnyTypePermission.ANY;
        } else if (pterm.indexOf('*') < 0) {
            // exact type
            typePermission = new ExplicitTypePermission(new String[] { pterm });
        } else if (pterm.length() > 0) {
            // wildcard type
            typePermission = new WildcardTypePermission(new String[] { pterm });
        }
        if (typePermission != null) {
            if (aod) {
                xstream.addPermission(typePermission);
            } else {
                xstream.denyPermission(typePermission);
            }
        }
    }
}
Also used : AnyTypePermission(com.thoughtworks.xstream.security.AnyTypePermission) TypePermission(com.thoughtworks.xstream.security.TypePermission) ExplicitTypePermission(com.thoughtworks.xstream.security.ExplicitTypePermission) WildcardTypePermission(com.thoughtworks.xstream.security.WildcardTypePermission) WildcardTypePermission(com.thoughtworks.xstream.security.WildcardTypePermission) ExplicitTypePermission(com.thoughtworks.xstream.security.ExplicitTypePermission)

Example 5 with WildcardTypePermission

use of com.thoughtworks.xstream.security.WildcardTypePermission in project drools by kiegroup.

the class XStreamUtils method internalCreateNonTrustingXStream.

/**
 * Use for XML or JSON that might not come from a trusted source (such as REST services payloads, ...).
 * Automatically allowlists all classes with an {@link XStreamAlias} annotation.
 * Often requires allowlisting additional domain specific classes, which you'll need to expose in your API's.
 */
private static XStream internalCreateNonTrustingXStream(XStream xstream) {
    setupDefaultSecurity(xstream);
    // TODO remove if setupDefaultSecurity already does this.
    // See comment in https://github.com/x-stream/xstream/pull/99
    xstream.addPermission(new AnyAnnotationTypePermission());
    xstream.addPermission(new WildcardTypePermission(ALLOWLISTED_PACKAGES));
    // Instead, embrace a allowlist approach and expose that in your API's.
    return xstream;
}
Also used : WildcardTypePermission(com.thoughtworks.xstream.security.WildcardTypePermission)

Aggregations

WildcardTypePermission (com.thoughtworks.xstream.security.WildcardTypePermission)6 HibernatePersistentCollectionConverter (com.thoughtworks.xstream.hibernate.converter.HibernatePersistentCollectionConverter)2 HibernatePersistentMapConverter (com.thoughtworks.xstream.hibernate.converter.HibernatePersistentMapConverter)2 HibernateProxyConverter (com.thoughtworks.xstream.hibernate.converter.HibernateProxyConverter)2 AnyTypePermission (com.thoughtworks.xstream.security.AnyTypePermission)2 ExplicitTypePermission (com.thoughtworks.xstream.security.ExplicitTypePermission)2 TypePermission (com.thoughtworks.xstream.security.TypePermission)2 PureJavaReflectionProvider (com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider)1 HibernateMapper (com.thoughtworks.xstream.hibernate.mapper.HibernateMapper)1 StaxDriver (com.thoughtworks.xstream.io.xml.StaxDriver)1 MapperWrapper (com.thoughtworks.xstream.mapper.MapperWrapper)1 XStreamJVM9 (jgnash.engine.xstream.XStreamJVM9)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial