|
0 |
From: Markus Koschany <apo@debian.org>
|
|
1 |
Date: Sat, 3 Apr 2021 20:47:22 +0200
|
|
2 |
Subject: CVE-2021-21341-to-CVE-2021-21351
|
|
3 |
|
|
4 |
Bug-Debian: https://bugs.debian.org/985843
|
|
5 |
Origin: https://github.com/x-stream/xstream/commit/d5e51177634afea7213b9dc2d21f101d2e258db9
|
|
6 |
---
|
|
7 |
.../src/java/com/thoughtworks/xstream/XStream.java | 31 +++++++++++++---
|
|
8 |
.../acceptance/SecurityVulnerabilityTest.java | 43 ++++++++++++++++++++++
|
|
9 |
2 files changed, 69 insertions(+), 5 deletions(-)
|
|
10 |
|
|
11 |
diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
|
|
12 |
index 1d28088..5fcf401 100644
|
|
13 |
--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
|
|
14 |
+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
|
|
15 |
@@ -1,6 +1,6 @@
|
|
16 |
/*
|
|
17 |
* Copyright (C) 2003, 2004, 2005, 2006 Joe Walnes.
|
|
18 |
- * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020 XStream Committers.
|
|
19 |
+ * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020, 2021 XStream Committers.
|
|
20 |
* All rights reserved.
|
|
21 |
*
|
|
22 |
* The software in this package is published under the terms of the BSD
|
|
23 |
@@ -36,7 +36,6 @@ import java.net.URL;
|
|
24 |
import java.nio.charset.Charset;
|
|
25 |
import java.text.DecimalFormatSymbols;
|
|
26 |
import java.util.ArrayList;
|
|
27 |
-import java.util.Arrays;
|
|
28 |
import java.util.BitSet;
|
|
29 |
import java.util.Calendar;
|
|
30 |
import java.util.Collection;
|
|
31 |
@@ -354,9 +353,14 @@ public class XStream {
|
|
32 |
|
|
33 |
private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper";
|
|
34 |
private static final Pattern IGNORE_ALL = Pattern.compile(".*");
|
|
35 |
+ private static final Pattern GETTER_SETTER_REFLECTION = Pattern.compile(".*\\$GetterSetterReflection");
|
|
36 |
+ private static final Pattern PRIVILEGED_GETTER = Pattern.compile(".*\\$PrivilegedGetter");
|
|
37 |
private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
|
|
38 |
+ private static final Pattern JAXWS_ITERATORS = Pattern.compile(".*\\$ServiceNameIterator");
|
|
39 |
+ private static final Pattern JAVAFX_OBSERVABLE_LIST__ = Pattern.compile(
|
|
40 |
+ "javafx\\.collections\\.ObservableList\\$.*");
|
|
41 |
private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
|
|
42 |
- private static final Pattern JAXWS_FILE_STREAM = Pattern.compile(".*\\.ReadAllStream\\$FileStream");
|
|
43 |
+ private static final Pattern BCEL_CL = Pattern.compile(".*\\.bcel\\..*\\.util\\.ClassLoader");
|
|
44 |
|
|
45 |
/**
|
|
46 |
* Constructs a default XStream.
|
|
47 |
@@ -703,18 +707,35 @@ public class XStream {
|
|
48 |
"java.beans.EventHandler",
|
|
49 |
"java.lang.ProcessBuilder",
|
|
50 |
"javax.imageio.ImageIO$ContainsFilter",
|
|
51 |
- "jdk.nashorn.internal.objects.NativeString"});
|
|
52 |
+ "jdk.nashorn.internal.objects.NativeString", //
|
|
53 |
+ "com.sun.corba.se.impl.activation.ServerTableEntry", //
|
|
54 |
+ "com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator", //
|
|
55 |
+ "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", //
|
|
56 |
+ "sun.swing.SwingLazyValue"});
|
|
57 |
+ denyTypesByRegExp(new Pattern[]{
|
|
58 |
+ LAZY_ITERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVAX_CRYPTO, JAXWS_ITERATORS,
|
|
59 |
+ JAVAFX_OBSERVABLE_LIST__, BCEL_CL});
|
|
60 |
+ denyTypeHierarchy(InputStream.class);
|
|
61 |
+ denyTypeHierarchyDynamically("java.nio.channels.Channel");
|
|
62 |
+ denyTypeHierarchyDynamically("javax.activation.DataSource");
|
|
63 |
+ denyTypeHierarchyDynamically("javax.sql.rowset.BaseRowSet");
|
|
64 |
denyTypes(new Class[]{
|
|
65 |
java.lang.ProcessBuilder.class,
|
|
66 |
jdk.nashorn.internal.objects.NativeString.class,
|
|
67 |
java.beans.EventHandler.class,
|
|
68 |
java.lang.ProcessBuilder.class,
|
|
69 |
java.lang.Void.class, void.class });
|
|
70 |
- denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM});
|
|
71 |
allowTypeHierarchy(Exception.class);
|
|
72 |
securityInitialized = false;
|
|
73 |
}
|
|
74 |
|
|
75 |
+ private void denyTypeHierarchyDynamically(String className) {
|
|
76 |
+ Class type = JVM.loadClassForName(className);
|
|
77 |
+ if (type != null) {
|
|
78 |
+ denyTypeHierarchy(type);
|
|
79 |
+ }
|
|
80 |
+ }
|
|
81 |
+
|
|
82 |
/**
|
|
83 |
* Setup the security framework of a XStream instance.
|
|
84 |
* <p>
|
|
85 |
diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
|
|
86 |
index 36b61a1..77c2bb9 100644
|
|
87 |
--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
|
|
88 |
+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
|
|
89 |
@@ -11,6 +11,7 @@
|
|
90 |
package com.thoughtworks.acceptance;
|
|
91 |
|
|
92 |
import java.beans.EventHandler;
|
|
93 |
+import java.io.ByteArrayInputStream;
|
|
94 |
import java.io.File;
|
|
95 |
import java.io.FileOutputStream;
|
|
96 |
import java.io.IOException;
|
|
97 |
@@ -271,4 +272,46 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
|
|
98 |
}
|
|
99 |
}
|
|
100 |
}
|
|
101 |
+
|
|
102 |
+ public void testCannotInjectManipulatedByteArryInputStream() {
|
|
103 |
+ xstream.alias("bais", ByteArrayInputStream.class);
|
|
104 |
+ System.out.println(Integer.MAX_VALUE);
|
|
105 |
+ final String xml = ""
|
|
106 |
+ + "<bais>\n"
|
|
107 |
+ + " <buf></buf>\n"
|
|
108 |
+ + " <pos>-2147483648</pos>\n"
|
|
109 |
+ + " <mark>0</mark>\n"
|
|
110 |
+ + " <count>0</count>\n"
|
|
111 |
+ + "</bais>";
|
|
112 |
+
|
|
113 |
+ try {
|
|
114 |
+ xstream.fromXML(xml);
|
|
115 |
+ fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
|
|
116 |
+ } catch (final ForbiddenClassException e) {
|
|
117 |
+ assertEquals(e.getMessage(),ByteArrayInputStream.class.getName());
|
|
118 |
+ }
|
|
119 |
+ }
|
|
120 |
+
|
|
121 |
+ public void testExplicitlyUnmarshalEndlessByteArryInputStream() {
|
|
122 |
+ xstream.alias("bais", ByteArrayInputStream.class);
|
|
123 |
+ xstream.allowTypes(new Class[]{ByteArrayInputStream.class});
|
|
124 |
+
|
|
125 |
+ final String xml = ""
|
|
126 |
+ + "<bais>\n"
|
|
127 |
+ + " <buf></buf>\n"
|
|
128 |
+ + " <pos>-2147483648</pos>\n"
|
|
129 |
+ + " <mark>0</mark>\n"
|
|
130 |
+ + " <count>0</count>\n"
|
|
131 |
+ + "</bais>";
|
|
132 |
+
|
|
133 |
+ final byte[] data = new byte[10];
|
|
134 |
+ final ByteArrayInputStream bais = (ByteArrayInputStream)xstream.fromXML(xml);
|
|
135 |
+ int i = 5;
|
|
136 |
+ while(bais.read(data, 0, 10) == 0) {
|
|
137 |
+ if (--i == 0) {
|
|
138 |
+ break;
|
|
139 |
+ }
|
|
140 |
+ }
|
|
141 |
+ assertEquals("Unlimited reads of ByteArrayInputStream returning 0 bytes expected", 0, i);
|
|
142 |
+ }
|
|
143 |
}
|