xstream icon indicating copy to clipboard operation
xstream copied to clipboard

Published 20 hours ago verified publisher icon x-stream

AnyAnnotationTypePermission that accepts any class with XStream annotation

Open ge0ffrey opened this issue 8 years ago • 7 comments

This permission accepts any class with an XStream annotations, because that class was designed with XStream in mind and therefore it is fair to presume it is not vulnerable. Jackson and JAXB follow this philosophy too and they don't have any CVE's against this behavior.

This PR just creates and tests that class, but I strongly believe it should also be added into XStream.setupDefaultSecurity(), so XStream 1.5 isn't harder to use than JAXB and Jackson. However, that's a different issue/discussion, so I haven't included that change here, due to the debatable nature of that change. (The fact that XStream can also be used without annotations is unrelated to this change, because just because the security framework has to be a pain for xstream usage without annotations, it shouldn't force xstream usage with annotations be as painful if that approach does have a less painful solution.)

ge0ffrey avatar Oct 16 '17 11:10 ge0ffrey

Coverage Status

Coverage decreased (-0.006%) to 77.851% when pulling 4aa5e9c17b2142736e9b73cdcebf49a28ef5f15d on ge0ffrey:AnyAnnotationTypePermission into c66e3ab9a444292bad95cd0a24a9bb36763b16f9 on x-stream:master.

coveralls avatar Oct 16 '17 11:10 coveralls

Coverage Status

Coverage increased (+0.01%) to 77.87% when pulling a4c00526b908db3d966fd887adbd84d3147dcd76 on ge0ffrey:AnyAnnotationTypePermission into c66e3ab9a444292bad95cd0a24a9bb36763b16f9 on x-stream:master.

coveralls avatar Oct 16 '17 13:10 coveralls

@joehni I hope all is going well with you - any chance to merge this PR? It's a trivial addition.

ge0ffrey avatar Dec 12 '17 08:12 ge0ffrey

Hi Niclas,

I am currently busy with real life and I have not yet found the time for a review. Sorry.

joehni avatar Dec 21 '17 00:12 joehni

@joehni No worries, I understand, I was in a similar situation before I joined RH. In any case, this code doesn't change any of the default behavior of XStream, it just offers an extra TypePermission to use.

ge0ffrey avatar Jan 10 '18 10:01 ge0ffrey

@joehni any status change? It's not much to review :)

ge0ffrey avatar Feb 22 '18 10:02 ge0ffrey

Hi Geoffrey,

yes, I am going to accept this. I will implement something similar for types configured the normal way, I have already something in my mind.

CHeers, Jörg

joehni avatar Mar 04 '18 16:03 joehni

I'd like to keep it open... despite the time that has passed in the meanwhile.

joehni avatar Feb 13 '24 23:02 joehni