Import upstream version 1.4.19
Debian Janitor
1 year, 11 months ago
9 | 9 | *.txt text |
10 | 10 | *.xml text |
11 | 11 | |
12 | *.cmd text eol=crlf | |
13 | *.sh text eol=lf | |
14 | ||
12 | 15 | *.gif binary |
13 | 16 | *.jpg binary |
14 | 17 | *.png binary |
7 | 7 | ## Binaries |
8 | 8 | All binary artifacts are bundled in the -bin archive. It includes |
9 | 9 | the XStream jars and any other library used at build time, or |
10 | optional runtime extras. Xpp3 is recommend for use as it will | |
10 | optional runtime extras. MXParser is recommend for use as it will | |
11 | 11 | greatly improve the performance of XStream. |
12 | 12 | |
13 | 13 | ## Documentation |
9 | 9 | |
10 | 10 | All binary artifacts are bundled in the -bin archive. It includes |
11 | 11 | the XStream jars and any other library used at build time, or |
12 | optional runtime extras. Xpp3 is recommend for use as it will | |
12 | optional runtime extras. MXParser is recommend for use as it will | |
13 | 13 | greatly improve the performance of XStream. |
14 | 14 | |
15 | 15 | --[ Documentation ]------------------------------------------ |
0 | 0 | <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> |
1 | 1 | <!-- |
2 | 2 | Copyright (C) 2006 Joe Walnes. |
3 | Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2015, 2016, 2017, 2018, 2019, 2020, 2021 XStream committers. | |
3 | Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022 XStream committers. | |
4 | 4 | All rights reserved. |
5 | 5 | |
6 | 6 | The software in this package is published under the terms of the BSD |
13 | 13 | <groupId>com.thoughtworks.xstream</groupId> |
14 | 14 | <artifactId>xstream-parent</artifactId> |
15 | 15 | <packaging>pom</packaging> |
16 | <version>1.4.18</version> | |
16 | <version>1.4.19</version> | |
17 | 17 | <name>XStream Parent</name> |
18 | 18 | <url>http://x-stream.github.io</url> |
19 | 19 | <description> |
68 | 68 | </properties> |
69 | 69 | </profile> |
70 | 70 | <profile> |
71 | <id>jdk18-ge</id> | |
71 | <id>jdk8-ge</id> | |
72 | 72 | <activation> |
73 | 73 | <jdk>[1.8,)</jdk> |
74 | 74 | </activation> |
78 | 78 | </properties> |
79 | 79 | </profile> |
80 | 80 | <profile> |
81 | <id>jdk18</id> | |
81 | <id>jdk8</id> | |
82 | 82 | <activation> |
83 | 83 | <jdk>1.8</jdk> |
84 | 84 | </activation> |
88 | 88 | </properties> |
89 | 89 | </profile> |
90 | 90 | <profile> |
91 | <id>jdk16</id> | |
91 | <id>jdk6</id> | |
92 | 92 | <activation> |
93 | 93 | <jdk>1.6</jdk> |
94 | 94 | </activation> |
98 | 98 | </profile> |
99 | 99 | <profile> |
100 | 100 | <!-- build with Maven 3.2.5 !!! --> |
101 | <id>jdk16-ge</id> | |
101 | <id>jdk6-ge</id> | |
102 | 102 | <activation> |
103 | 103 | <jdk>[1.6,)</jdk> |
104 | 104 | </activation> |
110 | 110 | </profile> |
111 | 111 | <profile> |
112 | 112 | <!-- build with Maven 3.0.5 !!! --> |
113 | <id>jdk15</id> | |
113 | <id>jdk5</id> | |
114 | 114 | <activation> |
115 | 115 | <jdk>1.5</jdk> |
116 | 116 | </activation> |
121 | 121 | </profile> |
122 | 122 | <profile> |
123 | 123 | <!-- build with Maven 2.0.10 !!! --> |
124 | <id>jdk14</id> | |
124 | <id>jdk4</id> | |
125 | 125 | <activation> |
126 | 126 | <jdk>1.4</jdk> |
127 | 127 | </activation> |
409 | 409 | <dependency> |
410 | 410 | <groupId>com.thoughtworks.xstream</groupId> |
411 | 411 | <artifactId>xstream</artifactId> |
412 | <version>1.4.18</version> | |
412 | <version>1.4.19</version> | |
413 | 413 | </dependency> |
414 | 414 | <dependency> |
415 | 415 | <groupId>com.thoughtworks.xstream</groupId> |
416 | 416 | <artifactId>xstream</artifactId> |
417 | <version>1.4.18</version> | |
417 | <version>1.4.19</version> | |
418 | 418 | <classifier>tests</classifier> |
419 | 419 | <type>test-jar</type> |
420 | 420 | <scope>test</scope> |
422 | 422 | <dependency> |
423 | 423 | <groupId>com.thoughtworks.xstream</groupId> |
424 | 424 | <artifactId>xstream</artifactId> |
425 | <version>1.4.18</version> | |
425 | <version>1.4.19</version> | |
426 | 426 | <classifier>javadoc</classifier> |
427 | 427 | <scope>provided</scope> |
428 | 428 | </dependency> |
429 | 429 | <dependency> |
430 | 430 | <groupId>com.thoughtworks.xstream</groupId> |
431 | 431 | <artifactId>xstream-hibernate</artifactId> |
432 | <version>1.4.18</version> | |
432 | <version>1.4.19</version> | |
433 | 433 | </dependency> |
434 | 434 | <dependency> |
435 | 435 | <groupId>com.thoughtworks.xstream</groupId> |
436 | 436 | <artifactId>xstream-hibernate</artifactId> |
437 | <version>1.4.18</version> | |
437 | <version>1.4.19</version> | |
438 | 438 | <classifier>javadoc</classifier> |
439 | 439 | <scope>provided</scope> |
440 | 440 | </dependency> |
441 | 441 | <dependency> |
442 | 442 | <groupId>com.thoughtworks.xstream</groupId> |
443 | 443 | <artifactId>xstream-jmh</artifactId> |
444 | <version>1.4.18</version> | |
444 | <version>1.4.19</version> | |
445 | 445 | </dependency> |
446 | 446 | <dependency> |
447 | 447 | <groupId>com.thoughtworks.xstream</groupId> |
448 | 448 | <artifactId>xstream-jmh</artifactId> |
449 | <version>1.4.18</version> | |
449 | <version>1.4.19</version> | |
450 | 450 | <classifier>javadoc</classifier> |
451 | 451 | <scope>provided</scope> |
452 | 452 | </dependency> |
453 | 453 | <dependency> |
454 | 454 | <groupId>com.thoughtworks.xstream</groupId> |
455 | 455 | <artifactId>xstream-benchmark</artifactId> |
456 | <version>1.4.18</version> | |
456 | <version>1.4.19</version> | |
457 | 457 | </dependency> |
458 | 458 | <dependency> |
459 | 459 | <groupId>com.thoughtworks.xstream</groupId> |
460 | 460 | <artifactId>xstream-benchmark</artifactId> |
461 | <version>1.4.18</version> | |
461 | <version>1.4.19</version> | |
462 | 462 | <classifier>javadoc</classifier> |
463 | 463 | <scope>provided</scope> |
464 | 464 | </dependency> |
968 | 968 | <Bundle-Name>${project.name} Sources</Bundle-Name> |
969 | 969 | <Bundle-SymbolicName>${project.artifactId}.sources</Bundle-SymbolicName> |
970 | 970 | <Bundle-Vendor>${project.organization.name} Sources</Bundle-Vendor> |
971 | <Bundle-Version>${project.info.osgiVersion} Sources</Bundle-Version> | |
971 | <Bundle-Version>${project.info.osgiVersion}</Bundle-Version> | |
972 | 972 | <Bundle-License>BSD-3-Clause</Bundle-License> |
973 | 973 | <Eclipse-SourceBundle>${project.artifactId};version=${project.info.osgiVersion}</Eclipse-SourceBundle> |
974 | 974 | <X-Compile-Source>${version.java.source}</X-Compile-Source> |
0 | 0 | <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> |
1 | 1 | <!-- |
2 | 2 | Copyright (C) 2006 Joe Walnes. |
3 | Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 XStream committers. | |
3 | Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022 XStream committers. | |
4 | 4 | All rights reserved. |
5 | 5 | |
6 | 6 | The software in this package is published under the terms of the BSD |
13 | 13 | <parent> |
14 | 14 | <groupId>com.thoughtworks.xstream</groupId> |
15 | 15 | <artifactId>xstream-parent</artifactId> |
16 | <version>1.4.18</version> | |
16 | <version>1.4.19</version> | |
17 | 17 | </parent> |
18 | 18 | <artifactId>xstream</artifactId> |
19 | 19 | <packaging>jar</packaging> |
258 | 258 | |
259 | 259 | <profiles> |
260 | 260 | <profile> |
261 | <id>jdk17-ge</id> | |
262 | <activation> | |
263 | <jdk>[17,)</jdk> | |
264 | </activation> | |
265 | <properties> | |
266 | <surefire.argline>--add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED --add-opens java.base/java.time=ALL-UNNAMED --add-opens java.base/java.time.chrono=ALL-UNNAMED --add-opens java.base/java.lang.invoke=ALL-UNNAMED --add-opens java.base/java.lang.ref=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.base/javax.security.auth.x500=ALL-UNNAMED --add-opens java.base/sun.util.calendar=ALL-UNNAMED --add-opens java.desktop/java.beans=ALL-UNNAMED --add-opens java.desktop/java.awt=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED --add-opens java.desktop/javax.swing=ALL-UNNAMED --add-opens java.desktop/javax.swing.border=ALL-UNNAMED --add-opens java.desktop/javax.swing.event=ALL-UNNAMED --add-opens java.desktop/javax.swing.table=ALL-UNNAMED --add-opens java.desktop/javax.swing.plaf.basic=ALL-UNNAMED --add-opens java.desktop/javax.swing.plaf.metal=ALL-UNNAMED --add-opens java.desktop/javax.imageio=ALL-UNNAMED --add-opens java.desktop/javax.imageio.spi=ALL-UNNAMED --add-opens java.desktop/sun.swing=ALL-UNNAMED --add-opens java.desktop/sun.swing.table=ALL-UNNAMED --add-opens java.xml/javax.xml.datatype=ALL-UNNAMED --add-opens java.xml/com.sun.xml.internal.stream=ALL-UNNAMED --add-opens java.xml/com.sun.org.apache.xerces.internal.parsers=ALL-UNNAMED --add-opens java.xml/com.sun.org.apache.xerces.internal.util=ALL-UNNAMED</surefire.argline> | |
267 | </properties> | |
268 | </profile> | |
269 | <profile> | |
270 | <id>jdk11-ge-jdk16</id> | |
271 | <activation> | |
272 | <jdk>[11,17)</jdk> | |
273 | </activation> | |
274 | <properties> | |
275 | <surefire.argline>--illegal-access=${surefire.illegal.access}</surefire.argline> | |
276 | </properties> | |
277 | </profile> | |
278 | <profile> | |
261 | 279 | <id>jdk11-ge</id> |
262 | 280 | <activation> |
263 | 281 | <jdk>[11,)</jdk> |
277 | 295 | </plugin> |
278 | 296 | </plugins> |
279 | 297 | </build> |
280 | <properties> | |
281 | <surefire.argline>--illegal-access=${surefire.illegal.access}</surefire.argline> | |
282 | </properties> | |
283 | 298 | </profile> |
284 | 299 | <profile> |
285 | 300 | <id>jdk9-ge-jdk10</id> |
291 | 306 | </properties> |
292 | 307 | </profile> |
293 | 308 | <profile> |
294 | <id>jdk18-ge</id> | |
309 | <id>jdk8-ge</id> | |
295 | 310 | <activation> |
296 | 311 | <jdk>[1.8,)</jdk> |
297 | 312 | </activation> |
330 | 345 | </configuration> |
331 | 346 | <executions> |
332 | 347 | <execution> |
333 | <id>compile-jdk15</id> | |
348 | <id>compile-jdk5</id> | |
334 | 349 | <configuration> |
335 | 350 | <source>${version.java.5}</source> |
336 | 351 | <target>${version.java.5}</target> |
350 | 365 | </goals> |
351 | 366 | </execution> |
352 | 367 | <execution> |
353 | <id>compile-jdk18</id> | |
368 | <id>compile-jdk8</id> | |
354 | 369 | <configuration> |
355 | 370 | <source>1.8</source> |
356 | 371 | <target>1.8</target> |
368 | 383 | </build> |
369 | 384 | </profile> |
370 | 385 | <profile> |
371 | <id>jdk18</id> | |
386 | <id>jdk8</id> | |
372 | 387 | <activation> |
373 | 388 | <jdk>1.8</jdk> |
374 | 389 | </activation> |
404 | 419 | </reporting> |
405 | 420 | </profile> |
406 | 421 | <profile> |
407 | <id>jdk17</id> | |
422 | <id>jdk7</id> | |
408 | 423 | <activation> |
409 | 424 | <jdk>1.7</jdk> |
410 | 425 | </activation> |
442 | 457 | </build> |
443 | 458 | </profile> |
444 | 459 | <profile> |
445 | <id>jdk16</id> | |
460 | <id>jdk6</id> | |
446 | 461 | <activation> |
447 | 462 | <jdk>1.6</jdk> |
448 | 463 | </activation> |
475 | 490 | </build> |
476 | 491 | </profile> |
477 | 492 | <profile> |
478 | <id>jdk15</id> | |
493 | <id>jdk5</id> | |
479 | 494 | <activation> |
480 | 495 | <jdk>1.5</jdk> |
481 | 496 | </activation> |
510 | 525 | </build> |
511 | 526 | </profile> |
512 | 527 | <profile> |
513 | <id>jdk16-ge</id> | |
528 | <id>jdk6-ge</id> | |
514 | 529 | <activation> |
515 | 530 | <jdk>[1.6,)</jdk> |
516 | 531 | </activation> |
550 | 565 | </build> |
551 | 566 | </profile> |
552 | 567 | <profile> |
553 | <id>jdk14</id> | |
568 | <id>jdk4</id> | |
554 | 569 | <activation> |
555 | 570 | <jdk>1.4</jdk> |
556 | 571 | </activation> |
0 | 0 | /* |
1 | 1 | * Copyright (C) 2003, 2004, 2005, 2006 Joe Walnes. |
2 | * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020, 2021 XStream Committers. | |
2 | * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020, 2021, 2022 XStream Committers. | |
3 | 3 | * All rights reserved. |
4 | 4 | * |
5 | 5 | * The software in this package is published under the terms of the BSD |
150 | 150 | import com.thoughtworks.xstream.mapper.XStream11XmlFriendlyMapper; |
151 | 151 | import com.thoughtworks.xstream.security.AnyTypePermission; |
152 | 152 | import com.thoughtworks.xstream.security.ArrayTypePermission; |
153 | import com.thoughtworks.xstream.security.InputManipulationException; | |
153 | 154 | import com.thoughtworks.xstream.security.ExplicitTypePermission; |
154 | 155 | import com.thoughtworks.xstream.security.InterfaceTypePermission; |
155 | 156 | import com.thoughtworks.xstream.security.NoPermission; |
294 | 295 | |
295 | 296 | // CAUTION: The sequence of the fields is intentional for an optimal XML output of a |
296 | 297 | // self-serialization! |
298 | private int collectionUpdateLimit = 20; | |
299 | ||
297 | 300 | private ReflectionProvider reflectionProvider; |
298 | 301 | private HierarchicalStreamDriver hierarchicalStreamDriver; |
299 | 302 | private ClassLoaderReference classLoaderReference; |
327 | 330 | public static final int PRIORITY_NORMAL = 0; |
328 | 331 | public static final int PRIORITY_LOW = -10; |
329 | 332 | public static final int PRIORITY_VERY_LOW = -20; |
333 | ||
334 | public static final String COLLECTION_UPDATE_LIMIT = "XStreamCollectionUpdateLimit"; | |
335 | public static final String COLLECTION_UPDATE_SECONDS = "XStreamCollectionUpdateSeconds"; | |
330 | 336 | |
331 | 337 | private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper"; |
332 | 338 | private static final Pattern IGNORE_ALL = Pattern.compile(".*"); |
1182 | 1188 | } |
1183 | 1189 | |
1184 | 1190 | /** |
1191 | * Set time limit for adding elements to collections or maps. | |
1192 | * | |
1193 | * Manipulated content may be used to create recursive hash code calculations or sort operations. An | |
1194 | * {@link InputManipulationException} is thrown, it the summed up time to add elements to collections or maps | |
1195 | * exceeds the provided limit. | |
1196 | * | |
1197 | * Note, that the time to add an individual element is calculated in seconds, not milliseconds. However, attacks | |
1198 | * typically use objects with exponential growing calculation times. | |
1199 | * | |
1200 | * @param maxSeconds limit in seconds or 0 to disable check | |
1201 | * @since 1.4.19 | |
1202 | */ | |
1203 | public void setCollectionUpdateLimit(int maxSeconds) { | |
1204 | collectionUpdateLimit = maxSeconds; | |
1205 | } | |
1206 | ||
1207 | /** | |
1185 | 1208 | * Serialize an object to a pretty-printed XML String. |
1186 | 1209 | * |
1187 | 1210 | * @throws XStreamException if the object cannot be serialized |
1387 | 1410 | */ |
1388 | 1411 | public Object unmarshal(HierarchicalStreamReader reader, Object root, DataHolder dataHolder) { |
1389 | 1412 | try { |
1413 | if (collectionUpdateLimit >= 0) { | |
1414 | if (dataHolder == null) { | |
1415 | dataHolder = new MapBackedDataHolder(); | |
1416 | } | |
1417 | dataHolder.put(COLLECTION_UPDATE_LIMIT, new Integer(collectionUpdateLimit)); | |
1418 | dataHolder.put(COLLECTION_UPDATE_SECONDS, new Integer(0)); | |
1419 | } | |
1390 | 1420 | return marshallingStrategy.unmarshal(root, reader, dataHolder, converterLookup, mapper); |
1391 | 1421 | } catch (ConversionException e) { |
1392 | 1422 | Package pkg = getClass().getPackage(); |
2052 | 2082 | * @see #createObjectInputStream(com.thoughtworks.xstream.io.HierarchicalStreamReader) |
2053 | 2083 | * @since 1.4.10 |
2054 | 2084 | */ |
2055 | public ObjectInputStream createObjectInputStream(final HierarchicalStreamReader reader, final DataHolder dataHolder) | |
2085 | public ObjectInputStream createObjectInputStream(final HierarchicalStreamReader reader, DataHolder dataHolder) | |
2056 | 2086 | throws IOException { |
2087 | if (collectionUpdateLimit >= 0) { | |
2088 | if (dataHolder == null) { | |
2089 | dataHolder = new MapBackedDataHolder(); | |
2090 | } | |
2091 | dataHolder.put(COLLECTION_UPDATE_LIMIT, new Integer(collectionUpdateLimit)); | |
2092 | dataHolder.put(COLLECTION_UPDATE_SECONDS, new Integer(0)); | |
2093 | } | |
2094 | final DataHolder dh = dataHolder; | |
2057 | 2095 | return new CustomObjectInputStream(new CustomObjectInputStream.StreamCallback() { |
2058 | 2096 | public Object readFromStream() throws EOFException { |
2059 | 2097 | if (!reader.hasMoreChildren()) { |
2060 | 2098 | throw new EOFException(); |
2061 | 2099 | } |
2062 | 2100 | reader.moveDown(); |
2063 | final Object result = unmarshal(reader, null, dataHolder); | |
2101 | final Object result = unmarshal(reader, null, dh); | |
2064 | 2102 | reader.moveUp(); |
2065 | 2103 | return result; |
2066 | 2104 | } |
+5
-1
0 | 0 | /* |
1 | 1 | * Copyright (C) 2003, 2004, 2005 Joe Walnes. |
2 | * Copyright (C) 2006, 2007, 2010, 2011, 2013, 2018 XStream Committers. | |
2 | * Copyright (C) 2006, 2007, 2010, 2011, 2013, 2018, 2021 XStream Committers. | |
3 | 3 | * All rights reserved. |
4 | 4 | * |
5 | 5 | * The software in this package is published under the terms of the BSD |
12 | 12 | |
13 | 13 | import com.thoughtworks.xstream.converters.MarshallingContext; |
14 | 14 | import com.thoughtworks.xstream.converters.UnmarshallingContext; |
15 | import com.thoughtworks.xstream.core.SecurityUtils; | |
15 | 16 | import com.thoughtworks.xstream.io.HierarchicalStreamReader; |
16 | 17 | import com.thoughtworks.xstream.io.HierarchicalStreamWriter; |
17 | 18 | import com.thoughtworks.xstream.mapper.Mapper; |
95 | 96 | protected void addCurrentElementToCollection(HierarchicalStreamReader reader, UnmarshallingContext context, |
96 | 97 | Collection collection, Collection target) { |
97 | 98 | final Object item = readItem(reader, context, collection); // call readBareItem when deprecated method is removed |
99 | ||
100 | long now = System.currentTimeMillis(); | |
98 | 101 | target.add(item); |
102 | SecurityUtils.checkForCollectionDoSAttack(context, now); | |
99 | 103 | } |
100 | 104 | |
101 | 105 | protected Object createCollection(Class type) { |
0 | 0 | /* |
1 | 1 | * Copyright (C) 2003, 2004, 2005 Joe Walnes. |
2 | * Copyright (C) 2006, 2007, 2008, 2010, 2011, 2012, 2013, 2018 XStream Committers. | |
2 | * Copyright (C) 2006, 2007, 2008, 2010, 2011, 2012, 2013, 2018, 2021 XStream Committers. | |
3 | 3 | * All rights reserved. |
4 | 4 | * |
5 | 5 | * The software in this package is published under the terms of the BSD |
12 | 12 | |
13 | 13 | import com.thoughtworks.xstream.converters.MarshallingContext; |
14 | 14 | import com.thoughtworks.xstream.converters.UnmarshallingContext; |
15 | import com.thoughtworks.xstream.core.SecurityUtils; | |
15 | 16 | import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamWriterHelper; |
16 | 17 | import com.thoughtworks.xstream.io.HierarchicalStreamReader; |
17 | 18 | import com.thoughtworks.xstream.io.HierarchicalStreamWriter; |
103 | 104 | Map map, Map target) { |
104 | 105 | final Object key = readCompleteItem(reader, context, map); |
105 | 106 | final Object value = readCompleteItem(reader, context, map); |
107 | ||
108 | long now = System.currentTimeMillis(); | |
106 | 109 | target.put(key, value); |
110 | SecurityUtils.checkForCollectionDoSAttack(context, now); | |
107 | 111 | } |
108 | 112 | |
109 | 113 | protected Object createCollection(Class type) { |
+4
-1
0 | 0 | /* |
1 | * Copyright (C) 2013, 2016, 2018 XStream Committers. | |
1 | * Copyright (C) 2013, 2016, 2018, 2021 XStream Committers. | |
2 | 2 | * All rights reserved. |
3 | 3 | * |
4 | 4 | * The software in this package is published under the terms of the BSD |
20 | 20 | import com.thoughtworks.xstream.converters.UnmarshallingContext; |
21 | 21 | import com.thoughtworks.xstream.converters.collections.MapConverter; |
22 | 22 | import com.thoughtworks.xstream.core.JVM; |
23 | import com.thoughtworks.xstream.core.SecurityUtils; | |
23 | 24 | import com.thoughtworks.xstream.core.util.HierarchicalStreams; |
24 | 25 | import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamWriterHelper; |
25 | 26 | import com.thoughtworks.xstream.io.HierarchicalStreamReader; |
338 | 339 | value = valueConverter.fromString(reader.getValue()); |
339 | 340 | } |
340 | 341 | |
342 | long now = System.currentTimeMillis(); | |
341 | 343 | target.put(key, value); |
344 | SecurityUtils.checkForCollectionDoSAttack(context, now); | |
342 | 345 | |
343 | 346 | if (entryName != null) { |
344 | 347 | reader.moveUp(); |
0 | /* | |
1 | * Copyright (C) 2021, 2022 XStream Committers. | |
2 | * All rights reserved. | |
3 | * | |
4 | * The software in this package is published under the terms of the BSD | |
5 | * style license a copy of which has been included with this distribution in | |
6 | * the LICENSE.txt file. | |
7 | * | |
8 | * Created on 21. September 2021 by Joerg Schaible | |
9 | */ | |
10 | package com.thoughtworks.xstream.core; | |
11 | ||
12 | import com.thoughtworks.xstream.XStream; | |
13 | import com.thoughtworks.xstream.converters.ConversionException; | |
14 | import com.thoughtworks.xstream.converters.UnmarshallingContext; | |
15 | import com.thoughtworks.xstream.security.InputManipulationException; | |
16 | ||
17 | ||
18 | /** | |
19 | * Utility functions for security issues. | |
20 | * | |
21 | * @author Jörg Schaible | |
22 | * @since 1.4.19 | |
23 | */ | |
24 | public class SecurityUtils { | |
25 | ||
26 | /** | |
27 | * Check the consumed time adding elements to collections or maps. | |
28 | * | |
29 | * Every custom converter should call this method after an unmarshalled element has been added to a collection or | |
30 | * map. In case of an attack the operation will take too long, because the calculation of the hash code or the | |
31 | * comparison of the elements in the collection operate on recursive structures. | |
32 | * | |
33 | * @param context the unmarshalling context | |
34 | * @param start the timestamp just before the element was added to the collection or map | |
35 | * @since 1.4.19 | |
36 | */ | |
37 | public static void checkForCollectionDoSAttack(final UnmarshallingContext context, final long start) { | |
38 | final int diff = (int)((System.currentTimeMillis() - start) / 1000); | |
39 | if (diff > 0) { | |
40 | final Integer secondsUsed = (Integer)context.get(XStream.COLLECTION_UPDATE_SECONDS); | |
41 | if (secondsUsed != null) { | |
42 | final Integer limit = (Integer)context.get(XStream.COLLECTION_UPDATE_LIMIT); | |
43 | if (limit == null) { | |
44 | throw new ConversionException("Missing limit for updating collections."); | |
45 | } | |
46 | final int seconds = secondsUsed.intValue() + diff; | |
47 | if (seconds > limit.intValue()) { | |
48 | throw new InputManipulationException( | |
49 | "Denial of Service attack assumed. Adding elements to collections or maps exceeds " + limit.intValue() + " seconds."); | |
50 | } | |
51 | context.put(XStream.COLLECTION_UPDATE_SECONDS, new Integer(seconds)); | |
52 | } | |
53 | } | |
54 | } | |
55 | } |
0 | 0 | /* |
1 | 1 | * Copyright (C) 2004, 2005, 2006 Joe Walnes. |
2 | * Copyright (C) 2006, 2007, 2009, 2011 XStream Committers. | |
2 | * Copyright (C) 2006, 2007, 2009, 2011, 2021 XStream Committers. | |
3 | 3 | * All rights reserved. |
4 | 4 | * |
5 | 5 | * The software in this package is published under the terms of the BSD |
20 | 20 | import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamWriterHelper; |
21 | 21 | import com.thoughtworks.xstream.mapper.Mapper; |
22 | 22 | |
23 | import java.util.Collections; | |
23 | 24 | import java.util.Iterator; |
24 | 25 | |
25 | 26 | |
84 | 85 | } |
85 | 86 | |
86 | 87 | public Object get(Object key) { |
87 | lazilyCreateDataHolder(); | |
88 | return dataHolder.get(key); | |
88 | return dataHolder != null ? dataHolder.get(key) : null; | |
89 | 89 | } |
90 | 90 | |
91 | 91 | public void put(Object key, Object value) { |
94 | 94 | } |
95 | 95 | |
96 | 96 | public Iterator keys() { |
97 | lazilyCreateDataHolder(); | |
98 | return dataHolder.keys(); | |
97 | return dataHolder != null ? dataHolder.keys() : Collections.EMPTY_MAP.keySet().iterator(); | |
99 | 98 | } |
100 | 99 | |
101 | 100 | private void lazilyCreateDataHolder() { |
0 | 0 | /* |
1 | 1 | * Copyright (C) 2004, 2005, 2006 Joe Walnes. |
2 | * Copyright (C) 2006, 2007, 2008, 2009, 2011, 2018 XStream Committers. | |
2 | * Copyright (C) 2006, 2007, 2008, 2009, 2011, 2018, 2021 XStream Committers. | |
3 | 3 | * All rights reserved. |
4 | 4 | * |
5 | 5 | * The software in this package is published under the terms of the BSD |
10 | 10 | */ |
11 | 11 | package com.thoughtworks.xstream.core; |
12 | 12 | |
13 | import java.util.Collections; | |
13 | 14 | import java.util.Iterator; |
14 | 15 | |
15 | 16 | import com.thoughtworks.xstream.converters.ConversionException; |
24 | 25 | import com.thoughtworks.xstream.core.util.PrioritizedList; |
25 | 26 | import com.thoughtworks.xstream.io.HierarchicalStreamReader; |
26 | 27 | import com.thoughtworks.xstream.mapper.Mapper; |
28 | import com.thoughtworks.xstream.security.AbstractSecurityException; | |
27 | 29 | |
28 | 30 | |
29 | 31 | public class TreeUnmarshaller implements UnmarshallingContext { |
72 | 74 | } catch (final ConversionException conversionException) { |
73 | 75 | addInformationTo(conversionException, type, converter, parent); |
74 | 76 | throw conversionException; |
77 | } catch (AbstractSecurityException e) { | |
78 | throw e; | |
75 | 79 | } catch (RuntimeException e) { |
76 | 80 | ConversionException conversionException = new ConversionException(e); |
77 | 81 | addInformationTo(conversionException, type, converter, parent); |
107 | 111 | } |
108 | 112 | |
109 | 113 | public Object get(Object key) { |
110 | lazilyCreateDataHolder(); | |
111 | return dataHolder.get(key); | |
114 | return dataHolder != null ? dataHolder.get(key) : null; | |
112 | 115 | } |
113 | 116 | |
114 | 117 | public void put(Object key, Object value) { |
117 | 120 | } |
118 | 121 | |
119 | 122 | public Iterator keys() { |
120 | lazilyCreateDataHolder(); | |
121 | return dataHolder.keys(); | |
123 | return dataHolder != null ? dataHolder.keys() : Collections.EMPTY_MAP.keySet().iterator(); | |
122 | 124 | } |
123 | 125 | |
124 | 126 | private void lazilyCreateDataHolder() { |
0 | 0 | /* |
1 | 1 | * Copyright (C) 2004, 2005 Joe Walnes. |
2 | * Copyright (C) 2006, 2007, 2008, 2010, 2011, 2014, 2015, 2016 XStream Committers. | |
2 | * Copyright (C) 2006, 2007, 2008, 2010, 2011, 2014, 2015, 2016, 2021 XStream Committers. | |
3 | 3 | * All rights reserved. |
4 | 4 | * |
5 | 5 | * The software in this package is published under the terms of the BSD |
154 | 154 | } catch (IllegalAccessException e) { |
155 | 155 | ex = new ObjectAccessException("Cannot access method", e); |
156 | 156 | } catch (InvocationTargetException e) { |
157 | Throwable cause = e.getTargetException(); | |
158 | if (cause instanceof ConversionException) | |
159 | throw (ConversionException)cause; | |
157 | 160 | ex = new ConversionException("Failed calling method", e.getTargetException()); |
158 | 161 | } |
159 | 162 | if (ex != null) { |
0 | /* | |
1 | * Copyright (C) 2021, 2022 XStream Committers. | |
2 | * All rights reserved. | |
3 | * | |
4 | * Created on 21. September 2021 by Joerg Schaible | |
5 | */ | |
6 | package com.thoughtworks.xstream.security; | |
7 | ||
8 | import com.thoughtworks.xstream.XStreamException; | |
9 | ||
10 | ||
11 | /** | |
12 | * General base class for a Security Exception in XStream. | |
13 | * | |
14 | * @author Jörg Schaible | |
15 | * @since 1.4.19 | |
16 | */ | |
17 | public abstract class AbstractSecurityException extends XStreamException { | |
18 | private static final long serialVersionUID = 20210921L; | |
19 | ||
20 | /** | |
21 | * Constructs a SecurityException. | |
22 | * @param message the exception message | |
23 | * @since 1.4.19 | |
24 | */ | |
25 | public AbstractSecurityException(final String message) { | |
26 | super(message); | |
27 | } | |
28 | } |
0 | 0 | /* |
1 | * Copyright (C) 2014 XStream Committers. | |
1 | * Copyright (C) 2014, 2021 XStream Committers. | |
2 | 2 | * All rights reserved. |
3 | 3 | * |
4 | 4 | * Created on 08. January 2014 by Joerg Schaible |
5 | 5 | */ |
6 | 6 | package com.thoughtworks.xstream.security; |
7 | ||
8 | import com.thoughtworks.xstream.XStreamException; | |
9 | 7 | |
10 | 8 | /** |
11 | 9 | * Exception thrown for a forbidden class. |
13 | 11 | * @author Jörg Schaible |
14 | 12 | * @since 1.4.7 |
15 | 13 | */ |
16 | public class ForbiddenClassException extends XStreamException { | |
14 | public class ForbiddenClassException extends AbstractSecurityException { | |
17 | 15 | |
18 | 16 | /** |
19 | 17 | * Construct a ForbiddenClassException. |
0 | /* | |
1 | * Copyright (C) 2021, 2022 XStream Committers. | |
2 | * All rights reserved. | |
3 | * | |
4 | * Created on 21. September 2021 by Joerg Schaible | |
5 | */ | |
6 | package com.thoughtworks.xstream.security; | |
7 | ||
8 | ||
9 | /** | |
10 | * Class for a Security Exception assuming input manipulation in XStream. | |
11 | * | |
12 | * @author Jörg Schaible | |
13 | * @since 1.4.19 | |
14 | */ | |
15 | public class InputManipulationException extends AbstractSecurityException { | |
16 | private static final long serialVersionUID = 20210921L; | |
17 | ||
18 | /** | |
19 | * Constructs a SecurityException. | |
20 | * @param message the exception message | |
21 | * @since 1.4.19 | |
22 | */ | |
23 | public InputManipulationException(final String message) { | |
24 | super(message); | |
25 | } | |
26 | } |
0 | 0 | /* |
1 | 1 | * Copyright (C) 2005 Joe Walnes. |
2 | * Copyright (C) 2006, 2007, 2010, 2012, 2013, 2014, 2017 XStream Committers. | |
2 | * Copyright (C) 2006, 2007, 2010, 2012, 2013, 2014, 2017, 2021 XStream Committers. | |
3 | 3 | * All rights reserved. |
4 | 4 | * |
5 | 5 | * The software in this package is published under the terms of the BSD |
334 | 334 | xstream.fromXML(actualXml.replaceAll("foobar", "unknown")); |
335 | 335 | fail("Thrown " + ConversionException.class.getName() + " expected"); |
336 | 336 | } catch (final ConversionException e) { |
337 | String message = e.getMessage(); | |
338 | assertTrue(message, | |
339 | e.getMessage().substring(0, message.indexOf('\n')).endsWith( | |
340 | DerivedThing.class.getName() + ".unknown")); | |
337 | final String message = e.getMessage(); | |
338 | assertTrue(message, e.getMessage().substring(0, message.indexOf('\n')).endsWith(DerivedThing.class.getName() | |
339 | + ".unknown")); | |
341 | 340 | } |
342 | 341 | } |
343 | 342 | |
402 | 401 | assertEquals("c", out.neverIgnore); |
403 | 402 | assertNull(out.sometimesIgnore); |
404 | 403 | } |
404 | ||
405 | public static class Member { | |
406 | public String name; | |
407 | } | |
408 | ||
409 | public static class Parent { | |
410 | public Member member; | |
411 | } | |
412 | ||
413 | public static class Child extends Parent { | |
414 | public Member member; | |
415 | ||
416 | public void setHidden(final Member member) { | |
417 | super.member = member; | |
418 | } | |
419 | ||
420 | public Member getHidden() { | |
421 | return super.member; | |
422 | } | |
423 | } | |
424 | ||
425 | public void testIgnoredHiddenElementsAreNotReferenced() { | |
426 | final Member member = new Member(); | |
427 | member.name = "junit"; | |
428 | final Child child = new Child(); | |
429 | child.setHidden(child.member = member); | |
430 | ||
431 | xstream.alias("child", Child.class); | |
432 | xstream.omitField(Child.class, "member"); | |
433 | ||
434 | final String expectedXml = "" | |
435 | + "<child>\n" | |
436 | + " <member>\n" | |
437 | + " <name>junit</name>\n" | |
438 | + " </member>\n" | |
439 | + "</child>"; | |
440 | ||
441 | final String actualXml = xstream.toXML(child); | |
442 | assertEquals(expectedXml, actualXml); | |
443 | ||
444 | final Child out = (Child)xstream.fromXML(expectedXml); | |
445 | assertNull(out.member); | |
446 | assertEquals("junit", out.getHidden().name); | |
447 | } | |
448 | ||
449 | public static class Wrapper { | |
450 | public Member member; | |
451 | public Parent parent; | |
452 | } | |
453 | ||
454 | public void testIgnoredElementsAreNotReferenced() { | |
455 | final Member member = new Member(); | |
456 | member.name = "junit"; | |
457 | final Parent parent = new Parent(); | |
458 | final Wrapper wrapper = new Wrapper(); | |
459 | parent.member = wrapper.member = member; | |
460 | wrapper.parent = parent; | |
461 | ||
462 | xstream.alias("wrapper", Wrapper.class); | |
463 | xstream.omitField(Wrapper.class, "member"); | |
464 | ||
465 | final String expectedXml = "" | |
466 | + "<wrapper>\n" | |
467 | + " <parent>\n" | |
468 | + " <member>\n" | |
469 | + " <name>junit</name>\n" | |
470 | + " </member>\n" | |
471 | + " </parent>\n" | |
472 | + "</wrapper>"; | |
473 | ||
474 | final String actualXml = xstream.toXML(wrapper); | |
475 | assertEquals(expectedXml, actualXml); | |
476 | ||
477 | final Wrapper out = (Wrapper)xstream.fromXML(expectedXml); | |
478 | assertNull(out.member); | |
479 | assertEquals("junit", out.parent.member.name); | |
480 | } | |
481 | ||
482 | public void testReferencedElementsCanBeOmitted() { | |
483 | final Member member = new Member(); | |
484 | member.name = "junit"; | |
485 | final Wrapper wrapper = new Wrapper(); | |
486 | wrapper.member = member; | |
487 | ||
488 | xstream.alias("wrapper", Wrapper.class); | |
489 | xstream.omitField(Wrapper.class, "member2"); | |
490 | ||
491 | final String expectedXml = "" | |
492 | + "<wrapper>\n" | |
493 | + " <member>\n" | |
494 | + " <name>junit</name>\n" | |
495 | + " </member>\n" | |
496 | + " <member2 reference=\"../member\"/>\n" | |
497 | + "</wrapper>"; | |
498 | ||
499 | final Wrapper out = (Wrapper)xstream.fromXML(expectedXml); | |
500 | assertEquals("junit", out.member.name); | |
501 | } | |
502 | ||
503 | public void testReferencedElementsCanBeIgnored() { | |
504 | final Member member = new Member(); | |
505 | member.name = "junit"; | |
506 | final Wrapper wrapper = new Wrapper(); | |
507 | wrapper.member = member; | |
508 | ||
509 | xstream.alias("wrapper", Wrapper.class); | |
510 | xstream.ignoreUnknownElements(); | |
511 | ||
512 | final String expectedXml = "" | |
513 | + "<wrapper>\n" | |
514 | + " <member>\n" | |
515 | + " <name>junit</name>\n" | |
516 | + " </member>\n" | |
517 | + " <member2 reference=\"../member\"/>\n" | |
518 | + "</wrapper>"; | |
519 | ||
520 | final Wrapper out = (Wrapper)xstream.fromXML(expectedXml); | |
521 | assertEquals("junit", out.member.name); | |
522 | } | |
405 | 523 | } |
16 | 16 | import java.io.IOException; |
17 | 17 | import java.io.InputStream; |
18 | 18 | import java.io.OutputStream; |
19 | import java.util.HashMap; | |
20 | import java.util.HashSet; | |
21 | import java.util.Hashtable; | |
19 | 22 | import java.util.Iterator; |
20 | ||
21 | import com.thoughtworks.xstream.XStreamException; | |
23 | import java.util.LinkedHashMap; | |
24 | import java.util.LinkedHashSet; | |
25 | import java.util.Map; | |
26 | import java.util.Set; | |
27 | ||
22 | 28 | import com.thoughtworks.xstream.converters.ConversionException; |
23 | 29 | import com.thoughtworks.xstream.core.JVM; |
24 | 30 | import com.thoughtworks.xstream.security.AnyTypePermission; |
25 | 31 | import com.thoughtworks.xstream.security.ForbiddenClassException; |
32 | import com.thoughtworks.xstream.security.InputManipulationException; | |
26 | 33 | import com.thoughtworks.xstream.security.ProxyTypePermission; |
27 | 34 | |
28 | 35 | |
55 | 62 | |
56 | 63 | try { |
57 | 64 | xstream.fromXML(xml); |
58 | fail("Thrown " + XStreamException.class.getName() + " expected"); | |
59 | } catch (final XStreamException e) { | |
60 | assertTrue(e.getMessage().indexOf(EventHandler.class.getName()) > 0); | |
65 | fail("Thrown " + ForbiddenClassException.class.getName() + " expected"); | |
66 | } catch (final ForbiddenClassException e) { | |
67 | // OK | |
61 | 68 | } |
62 | 69 | assertEquals(0, BUFFER.length()); |
63 | 70 | } |
125 | 132 | public void testInstanceOfVoid() { |
126 | 133 | try { |
127 | 134 | xstream.fromXML("<void/>"); |
128 | fail("Thrown " + ConversionException.class.getName() + " expected"); | |
135 | fail("Thrown " + ForbiddenClassException.class.getName() + " expected"); | |
129 | 136 | } catch (final ForbiddenClassException e) { |
130 | 137 | // OK |
131 | 138 | } |
162 | 169 | xstream.aliasType("is", InputStream.class); |
163 | 170 | try { |
164 | 171 | xstream.fromXML(xml); |
165 | fail("Thrown " + ConversionException.class.getName() + " expected"); | |
172 | fail("Thrown " + ForbiddenClassException.class.getName() + " expected"); | |
166 | 173 | } catch (final ForbiddenClassException e) { |
167 | 174 | // OK |
168 | 175 | } |
260 | 267 | assertEquals("ArrayIndexOutOfBoundsException expected reading invalid stream", 5, i); |
261 | 268 | } |
262 | 269 | } |
270 | ||
271 | public void testDoSAttackWithHashSet() { | |
272 | final Set set = new HashSet(); | |
273 | Set s1 = set; | |
274 | Set s2 = new HashSet(); | |
275 | for (int i = 0; i < 30; i++) { | |
276 | final Set t1 = new HashSet(); | |
277 | final Set t2 = new HashSet(); | |
278 | t1.add("a"); | |
279 | t2.add("b"); | |
280 | s1.add(t1); | |
281 | s1.add(t2); | |
282 | s2.add(t2); | |
283 | s2.add(t1); | |
284 | s1 = t1; | |
285 | s2 = t2; | |
286 | } | |
287 | ||
288 | xstream.setCollectionUpdateLimit(5); | |
289 | final String xml = xstream.toXML(set); | |
290 | try { | |
291 | ||
292 | xstream.fromXML(xml); | |
293 | fail("Thrown " + InputManipulationException.class.getName() + " expected"); | |
294 | } catch (final InputManipulationException e) { | |
295 | assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds")); | |
296 | } | |
297 | } | |
298 | ||
299 | public void testDoSAttackWithLinkedHashSet() { | |
300 | final Set set = new LinkedHashSet(); | |
301 | Set s1 = set; | |
302 | Set s2 = new LinkedHashSet(); | |
303 | for (int i = 0; i < 30; i++) { | |
304 | final Set t1 = new LinkedHashSet(); | |
305 | final Set t2 = new LinkedHashSet(); | |
306 | t1.add("a"); | |
307 | t2.add("b"); | |
308 | s1.add(t1); | |
309 | s1.add(t2); | |
310 | s2.add(t2); | |
311 | s2.add(t1); | |
312 | s1 = t1; | |
313 | s2 = t2; | |
314 | } | |
315 | ||
316 | xstream.setCollectionUpdateLimit(5); | |
317 | final String xml = xstream.toXML(set); | |
318 | try { | |
319 | xstream.fromXML(xml); | |
320 | fail("Thrown " + InputManipulationException.class.getName() + " expected"); | |
321 | } catch (final InputManipulationException e) { | |
322 | assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds")); | |
323 | } | |
324 | } | |
325 | ||
326 | public void testDoSAttackWithHashMap() { | |
327 | final Map map = new HashMap(); | |
328 | Map m1 = map; | |
329 | Map m2 = new HashMap(); | |
330 | for (int i = 0; i < 25; i++) { | |
331 | final Map t1 = new HashMap(); | |
332 | final Map t2 = new HashMap(); | |
333 | t1.put("a", "b"); | |
334 | t2.put("c", "d"); | |
335 | m1.put(t1, t2); | |
336 | m1.put(t2, t1); | |
337 | m2.put(t2, t1); | |
338 | m2.put(t1, t2); | |
339 | m1 = t1; | |
340 | m2 = t2; | |
341 | } | |
342 | xstream.setCollectionUpdateLimit(5); | |
343 | ||
344 | final String xml = xstream.toXML(map); | |
345 | try { | |
346 | xstream.fromXML(xml); | |
347 | fail("Thrown " + InputManipulationException.class.getName() + " expected"); | |
348 | } catch (InputManipulationException e) { | |
349 | assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds")); | |
350 | } | |
351 | } | |
352 | ||
353 | public void testDoSAttackWithLinkedHashMap() { | |
354 | final Map map = new LinkedHashMap(); | |
355 | Map m1 = map; | |
356 | Map m2 = new LinkedHashMap(); | |
357 | for (int i = 0; i < 25; i++) { | |
358 | final Map t1 = new LinkedHashMap(); | |
359 | final Map t2 = new LinkedHashMap(); | |
360 | t1.put("a", "b"); | |
361 | t2.put("c", "d"); | |
362 | m1.put(t1, t2); | |
363 | m1.put(t2, t1); | |
364 | m2.put(t2, t1); | |
365 | m2.put(t1, t2); | |
366 | m1 = t1; | |
367 | m2 = t2; | |
368 | } | |
369 | ||
370 | xstream.setCollectionUpdateLimit(5); | |
371 | final String xml = xstream.toXML(map); | |
372 | try { | |
373 | xstream.fromXML(xml); | |
374 | fail("Thrown " + InputManipulationException.class.getName() + " expected"); | |
375 | } catch (final InputManipulationException e) { | |
376 | assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds")); | |
377 | } | |
378 | } | |
379 | ||
380 | public void testDoSAttackWithHashtable() { | |
381 | final Map map = new Hashtable(); | |
382 | Map m1 = map; | |
383 | Map m2 = new Hashtable(); | |
384 | for (int i = 0; i < 100; i++) { | |
385 | final Map t1 = new Hashtable(); | |
386 | final Map t2 = new Hashtable(); | |
387 | t1.put("a", "b"); | |
388 | t2.put("c", "d"); | |
389 | m1.put(t1, t2); | |
390 | m1.put(t2, t1); | |
391 | m2.put(t2, t1); | |
392 | m2.put(t1, t2); | |
393 | m1 = t1; | |
394 | m2 = t2; | |
395 | } | |
396 | ||
397 | xstream.setCollectionUpdateLimit(5); | |
398 | final String xml = xstream.toXML(map); | |
399 | try { | |
400 | xstream.fromXML(xml); | |
401 | fail("Thrown " + InputManipulationException.class.getName() + " expected"); | |
402 | } catch (final InputManipulationException e) { | |
403 | assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds")); | |
404 | } | |
405 | } | |
263 | 406 | } |
0 | 0 | <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> |
1 | 1 | <!-- |
2 | 2 | Copyright (C) 2006 Joe Walnes. |
3 | Copyright (C) 2006, 2007, 2009, 2011, 2012, 2013, 2017 XStream committers. | |
3 | Copyright (C) 2006, 2007, 2009, 2011, 2012, 2013, 2017, 2022 XStream committers. | |
4 | 4 | All rights reserved. |
5 | 5 | |
6 | 6 | The software in this package is published under the terms of the BSD |
13 | 13 | <parent> |
14 | 14 | <groupId>com.thoughtworks.xstream</groupId> |
15 | 15 | <artifactId>xstream-parent</artifactId> |
16 | <version>1.4.18</version> | |
16 | <version>1.4.19</version> | |
17 | 17 | </parent> |
18 | 18 | <artifactId>xstream-benchmark</artifactId> |
19 | 19 | <packaging>jar</packaging> |
22 | 22 | |
23 | 23 | <profiles> |
24 | 24 | <profile> |
25 | <id>jdk18</id> | |
25 | <id>jdk8</id> | |
26 | 26 | <activation> |
27 | 27 | <jdk>1.8</jdk> |
28 | 28 | </activation> |
57 | 57 | </reporting> |
58 | 58 | </profile> |
59 | 59 | <profile> |
60 | <id>jdk16-ge</id> | |
60 | <id>jdk6-ge</id> | |
61 | 61 | <activation> |
62 | 62 | <jdk>[1.6,)</jdk> |
63 | 63 | </activation> |
0 | 0 | <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> |
1 | 1 | <!-- |
2 | 2 | Copyright (C) 2006 Joe Walnes. |
3 | Copyright (C) 2006, 2007, 2008, 2009, 2011, 2012, 2013, 2015, 2016 XStream committers. | |
3 | Copyright (C) 2006, 2007, 2008, 2009, 2011, 2012, 2013, 2015, 2016, 2022 XStream committers. | |
4 | 4 | All rights reserved. |
5 | 5 | |
6 | 6 | The software in this package is published under the terms of the BSD |
13 | 13 | <parent> |
14 | 14 | <groupId>com.thoughtworks.xstream</groupId> |
15 | 15 | <artifactId>xstream-parent</artifactId> |
16 | <version>1.4.18</version> | |
16 | <version>1.4.19</version> | |
17 | 17 | </parent> |
18 | 18 | <artifactId>xstream-distribution</artifactId> |
19 | 19 | <packaging>pom</packaging> |
47 | 47 | |
48 | 48 | <profiles> |
49 | 49 | <profile> |
50 | <id>jdk18</id> | |
50 | <id>jdk8</id> | |
51 | 51 | <activation> |
52 | 52 | <jdk>1.8</jdk> |
53 | 53 | </activation> |
142 | 142 | supported by Zhihong Tian and Hui Lu, both from Guangzhou University.</p> |
143 | 143 | |
144 | 144 | </body> |
145 | </html>⏎ | |
145 | </html> |
237 | 237 | |
238 | 238 | <h2 id="credits">Credits</h2> |
239 | 239 | |
240 | <p>wh1t3p1g G5-RD6@IIE found and reported the issue to XStream and provided the required information to reproduce it.</p> | |
240 | <p>wh1t3p1g from TSRC (Tencent Security Response Center) found and reported the issue to XStream and provided the | |
241 | required information to reproduce it.</p> | |
241 | 242 | |
242 | 243 | </body> |
243 | 244 | </html> |
127 | 127 | |
128 | 128 | <h2 id="credits">Credits</h2> |
129 | 129 | |
130 | <p>wh1t3p1g G5-RD6@IIE found and reported the issue to XStream and provided the required information to reproduce it.</p> | |
130 | <p>wh1t3p1g from TSRC (Tencent Security Response Center) found and reported the issue to XStream and provided the | |
131 | required information to reproduce it.</p> | |
131 | 132 | |
132 | 133 | </body> |
133 | 134 | </html> |
0 | <html> | |
1 | <!-- | |
2 | Copyright (C) 2021 XStream committers. | |
3 | All rights reserved. | |
4 | ||
5 | The software in this package is published under the terms of the BSD | |
6 | style license a copy of which has been included with this distribution in | |
7 | the LICENSE.txt file. | |
8 | ||
9 | Created on 23. December 2021 by Joerg Schaible | |
10 | --> | |
11 | <head> | |
12 | <title>CVE-2021-43859</title> | |
13 | </head> | |
14 | <body> | |
15 | ||
16 | <h2 id="vulnerability">Vulnerability</h2> | |
17 | ||
18 | <p>CVE-2021-43859: XStream can cause a Denial of Service by injecting highly recursive collections or maps.</p> | |
19 | ||
20 | <h2 id="affected_versions">Affected Versions</h2> | |
21 | ||
22 | <p>All versions until and including version 1.4.18 are affected.</p> | |
23 | ||
24 | <h2 id="description">Description</h2> | |
25 | ||
26 | <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects. | |
27 | XStream creates therefore new instances based on these type information. An attacker can manipulate the processed | |
28 | input stream and replace or inject objects, that result in exponential recursively hashcode calculation, causing a denial | |
29 | of service.</p> | |
30 | ||
31 | <h2 id="reproduction">Steps to Reproduce</h2> | |
32 | ||
33 | <p>The attack uses the hashcode implementation of collection types in the Java runtime. Following types are affected with | |
34 | lastest Java versions available in December 2021:</p> | |
35 | <ul> | |
36 | <li>java.util.HashMap</li> | |
37 | <li>java.util.HashSet</li> | |
38 | <li>java.util.Hashtable</li> | |
39 | <li>java.util.LinkedHashMap</li> | |
40 | <li>java.util.LinkedHashSet</li> | |
41 | <li>java.util.Stack (older Java revisions only)</li> | |
42 | <li>java.util.Vector (older Java revisions only)</li> | |
43 | <li>Other third party collection implementations that use their element's hash code may also be affected</li> | |
44 | </ul> | |
45 | <p>Create a simple HashSet and use XStream to marshal it to XML. Replace the XML with following snippet, increase the | |
46 | depth of the structure and unmarshal it with XStream:</p> | |
47 | <div class="Source XML"><pre><set> | |
48 | <set> | |
49 | <string>a</string> | |
50 | <set> | |
51 | <string>a</string> | |
52 | <set> | |
53 | <string>a</string> | |
54 | </set> | |
55 | <set> | |
56 | <string>b</string> | |
57 | </set> | |
58 | </set> | |
59 | <set> | |
60 | <set reference="../../set/set"/> | |
61 | <string>b</string> | |
62 | <set reference="../../set/set[2]"/> | |
63 | </set> | |
64 | </set> | |
65 | <set> | |
66 | <set reference="../../set/set"/> | |
67 | <string>b</string> | |
68 | <set reference="../../set/set[2]"/> | |
69 | </set> | |
70 | </set> | |
71 | </pre></div> | |
72 | <div class="Source Java"><pre>XStream xstream = new XStream(); | |
73 | xstream.fromXML(xml); | |
74 | </pre></div> | |
75 | <p>Create a simple HashMap and use XStream to marshal it to XML. Replace the XML with following snippet, increase the | |
76 | depth of the structure and unmarshal it with XStream:</p> | |
77 | <div class="Source XML"><pre><map> | |
78 | <entry> | |
79 | <map> | |
80 | <entry> | |
81 | <string>a</string> | |
82 | <string>b</string> | |
83 | </entry> | |
84 | <entry> | |
85 | <map> | |
86 | <entry> | |
87 | <string>a</string> | |
88 | <string>b</string> | |
89 | </entry> | |
90 | <entry> | |
91 | <map> | |
92 | <entry> | |
93 | <string>a</string> | |
94 | <string>b</string> | |
95 | </entry> | |
96 | </map> | |
97 | <map> | |
98 | <entry> | |
99 | <string>c</string> | |
100 | <string>d</string> | |
101 | </entry> | |
102 | </map> | |
103 | </entry> | |
104 | <entry> | |
105 | <map reference="../../entry[2]/map[2]"/> | |
106 | <map reference="../../entry[2]/map"/> | |
107 | </entry> | |
108 | </map> | |
109 | <map> | |
110 | <entry> | |
111 | <string>c</string> | |
112 | <string>d</string> | |
113 | </entry> | |
114 | <entry> | |
115 | <map reference="../../../entry[2]/map"/> | |
116 | <map reference="../../../entry[2]/map[2]"/> | |
117 | </entry> | |
118 | <entry> | |
119 | <map reference="../../../entry[2]/map[2]"/> | |
120 | <map reference="../../../entry[2]/map"/> | |
121 | </entry> | |
122 | </map> | |
123 | </entry> | |
124 | <entry> | |
125 | <map reference="../../entry[2]/map[2]"/> | |
126 | <map reference="../../entry[2]/map"/> | |
127 | </entry> | |
128 | </map> | |
129 | <map> | |
130 | <entry> | |
131 | <string>c</string> | |
132 | <string>d</string> | |
133 | </entry> | |
134 | <entry> | |
135 | <map reference="../../../entry[2]/map"/> | |
136 | <map reference="../../../entry[2]/map[2]"/> | |
137 | </entry> | |
138 | <entry> | |
139 | <map reference="../../../entry[2]/map[2]"/> | |
140 | <map reference="../../../entry[2]/map"/> | |
141 | </entry> | |
142 | </map> | |
143 | </entry> | |
144 | <entry> | |
145 | <map reference="../../entry[2]/map[2]"/> | |
146 | <map reference="../../entry[2]/map"/> | |
147 | </entry> | |
148 | </map> | |
149 | </pre></div> | |
150 | <div class="Source Java"><pre>XStream xstream = new XStream(); | |
151 | xstream.fromXML(xml); | |
152 | </pre></div> | |
153 | ||
154 | <p>As soon as the XML is unmarshalled, the hash codes of the elements are calculated and the calculation time increases | |
155 | exponentially due to the highly recursive structure.</p> | |
156 | ||
157 | <p>Note, this example uses XML, but the attack can be performed for any supported format, that supports references, i.e. | |
158 | JSON is not affected.</p> | |
159 | ||
160 | <h2 id="impact">Impact</h2> | |
161 | ||
162 | <p>The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU | |
163 | type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed | |
164 | input stream.</p> | |
165 | ||
166 | <h2 id="workarounds">Workarounds</h2> | |
167 | ||
168 | <p>If your object graph does not use referenced elements at all, you may simply set the NO_REFERENCE mode:</p> | |
169 | ||
170 | <div class="Source Java"><pre>XStream xstream = new XStream(); | |
171 | xstream.setMode(XStream.NO_REFERENCES); | |
172 | </pre></div> | |
173 | ||
174 | <p>If your object graph contains neither a Hashtable, HashMap nor a HashSet (or one of the linked variants of it) then you | |
175 | can use the security framework to deny the usage of these types:</p> | |
176 | ||
177 | <div class="Source Java"><pre>XStream xstream = new XStream(); | |
178 | xstream.denyTypes(new Class[]{ | |
179 | java.util.HashMap.class, java.util.HashSet.class, java.util.Hashtable.class, java.util.LinkedHashMap.class, java.util.LinkedHashSet.class | |
180 | }); | |
181 | </pre></div> | |
182 | ||
183 | <p>Unfortunately these types are very common. If you only use HashMap or HashSet and your XML refers these only as default | |
184 | map or set, you may additionally change the default implementation of java.util.Map and java.util.Set at unmarshalling time:</p> | |
185 | ||
186 | <div class="Source Java"><pre>xstream.addDefaultImplementation(java.util.TreeMap.class, java.util.Map.class); | |
187 | xstream.addDefaultImplementation(java.util.TreeSet.class, java.util.Set.class); | |
188 | </pre></div> | |
189 | ||
190 | <p>However, this implies that your application does not care about the implementation of the map and all elements are comparable.</p> | |
191 | ||
192 | <h2 id="credits">Credits</h2> | |
193 | ||
194 | <p>r00t4dm at Cloud-Penetrating Arrow Lab found and reported the issue to XStream and provided the required information to | |
195 | reproduce it.</p> | |
196 | ||
197 | </body> | |
198 | </html> |
0 | 0 | <html> |
1 | 1 | <!-- |
2 | Copyright (C) 2015, 2016, 2017, 2018, 2020, 2021 XStream committers. | |
2 | Copyright (C) 2015, 2016, 2017, 2018, 2020, 2021, 2022 XStream committers. | |
3 | 3 | All rights reserved. |
4 | 4 | |
5 | 5 | The software in this package is published under the terms of the BSD |
32 | 32 | |
33 | 33 | <p>All benchmark values below measure the average throughput in nanosecond per operation. JMH provides additional |
34 | 34 | measurement options, see online help. The maximum deviation for each benchmark is recorded in the reference files of the |
35 | distributed ZIP file. The benchmark is executed on Linux 5.4.48 Gentoo 64-bit system with an Intel Core i7 CPU 920 of 2.67 | |
36 | GHz using OpenJDK 11.0.8. Note again, that these values are no replacement for real profiler results and they may vary | |
35 | distributed ZIP file. The benchmark is executed on Linux 5.15.11 Gentoo 64-bit system with an Intel Core i7 CPU 920 of 2.67 | |
36 | GHz using OpenJDK 11.0.13. Note again, that these values are no replacement for real profiler results and they may vary | |
37 | 37 | from run to run (see reference files) due to this machine's background processes. However, it can give you some idea of |
38 | 38 | what you can expect using different parser technologies.</p> |
39 | 39 | |
50 | 50 | <th>Nested</th> |
51 | 51 | </tr> |
52 | 52 | <tr> |
53 | <th>W3C DOM (Open JDK 11.0.8)</th> | |
54 | <td>10568442.558</td> | |
55 | <td>59894584.643</td> | |
56 | <td>5382390.375</td> | |
53 | <th>W3C DOM (Open JDK 11.0.13)</th> | |
54 | <td>10553104.053</td> | |
55 | <td>58632015.971</td> | |
56 | <td>5321471.291</td> | |
57 | 57 | </tr> |
58 | 58 | <tr> |
59 | 59 | <th>JDOM (1.1.3)</th> |
60 | <td>6379300.940</td> | |
61 | <td>6887733.303</td> | |
62 | <td>13598531.633</td> | |
60 | <td>6347929.561</td> | |
61 | <td>7102275.757</td> | |
62 | <td>16861677.394</td> | |
63 | 63 | </tr> |
64 | 64 | <tr> |
65 | 65 | <th>JDOM 2 (2.0.5)</th> |
66 | <td>5929805.928</td> | |
67 | <td>9876176.832</td> | |
68 | <td>12503949.903</td> | |
66 | <td>5843003.401</td> | |
67 | <td>9827411.961</td> | |
68 | <td>12085612.224</td> | |
69 | 69 | </tr> |
70 | 70 | <tr> |
71 | 71 | <th>DOM4J (1.6.1)</th> |
72 | <td>8543670.534</td> | |
73 | <td>79125701.566</td> | |
74 | <td>5372787.809</td> | |
72 | <td>8344385.552</td> | |
73 | <td>78757514.580</td> | |
74 | <td>5711026.345</td> | |
75 | 75 | </tr> |
76 | 76 | <tr> |
77 | 77 | <th>XOM (1.1)</th> |
78 | <td>7968868.873</td> | |
79 | <td>34141742.595</td> | |
80 | <td>5425911.128</td> | |
78 | <td>7986743.807</td> | |
79 | <td>33930673.083</td> | |
80 | <td>5788240.908</td> | |
81 | 81 | </tr> |
82 | 82 | <tr> |
83 | 83 | <th>StAX (BEA 1.2.0)</th> |
84 | <td>3182516.188</td> | |
85 | <td>667706.032</td> | |
86 | <td>603986.803</td> | |
84 | <td>3229409.245</td> | |
85 | <td>713536.588</td> | |
86 | <td>648266.777</td> | |
87 | 87 | </tr> |
88 | 88 | <tr> |
89 | 89 | <th>StAX (Woodstox 3.2.7)</th> |
90 | <td>1959085.951</td> | |
91 | <td>630843.461</td> | |
92 | <td>835465.393</td> | |
93 | </tr> | |
94 | <tr> | |
95 | <th>StAX (Open JDK 11.0.8)</th> | |
96 | <td>8450930.541</td> | |
97 | <td>885917.070</td> | |
98 | <td>868883.676</td> | |
99 | </tr> | |
100 | <tr> | |
101 | <th>XPP (MXParser 1.2.1)</th> | |
102 | <td>2131602.489</td> | |
103 | <td>814691.675</td> | |
104 | <td>13287597.794</td> | |
90 | <td>2048393.986</td> | |
91 | <td>592419.675</td> | |
92 | <td>725660.904</td> | |
93 | </tr> | |
94 | <tr> | |
95 | <th>StAX (Open JDK 11.0.13)</th> | |
96 | <td>8377577.926</td> | |
97 | <td>700802.493</td> | |
98 | <td>1074253.465</td> | |
99 | </tr> | |
100 | <tr> | |
101 | <th>XPP (MXParser 1.2.2)</th> | |
102 | <td>2090782.658</td> | |
103 | <td>687905.727</td> | |
104 | <td>12616894.304</td> | |
105 | 105 | </tr> |
106 | 106 | <tr> |
107 | 107 | <th>XPP (Xpp3 min 1.1.4c)</th> |
108 | <td>2084284.951</td> | |
109 | <td>754593.348</td> | |
110 | <td>13056389.184</td> | |
108 | <td>2112720.726</td> | |
109 | <td>701583.341</td> | |
110 | <td>13007586.291</td> | |
111 | 111 | </tr> |
112 | 112 | <tr> |
113 | 113 | <th>XPP (kXML2 min 2.3.0)</th> |
114 | <td>3561706.234</td> | |
115 | <td>855787.083</td> | |
116 | <td>36819091.742</td> | |
114 | <td>3524809.724</td> | |
115 | <td>902275.516</td> | |
116 | <td>35970087.264</td> | |
117 | 117 | </tr> |
118 | 118 | <tr> |
119 | 119 | <th>Binary (XStream 1.4.16)</th> |
120 | <td>1065228.134</td> | |
121 | <td>405493.660</td> | |
122 | <td>284620.649</td> | |
120 | <td>1111084.176</td> | |
121 | <td>402398.155</td> | |
122 | <td>315810.980</td> | |
123 | 123 | </tr> |
124 | 124 | <tr> |
125 | 125 | <th>Jettison (1.2)</th> |
126 | <td>3682704.689</td> | |
127 | <td>601803.834</td> | |
128 | <td>678187.271</td> | |
126 | <td>3617569.912</td> | |
127 | <td>670870.406</td> | |
128 | <td>735876.170</td> | |
129 | 129 | </tr> |
130 | 130 | </table> |
131 | 131 | |
151 | 151 | </tr> |
152 | 152 | <tr> |
153 | 153 | <th>Custom</th> |
154 | <td>9324531.713</td> | |
154 | <td>9666231.183</td> | |
155 | 155 | </tr> |
156 | 156 | <tr> |
157 | 157 | <th>Java Bean</th> |
158 | <td>19658157.449</td> | |
158 | <td>18907234.350</td> | |
159 | 159 | </tr> |
160 | 160 | <tr> |
161 | 161 | <th>Reflection</th> |
162 | <td>20859870.075</td> | |
162 | <td>20777749.230</td> | |
163 | 163 | </tr> |
164 | 164 | </table> |
165 | 165 | |
185 | 185 | </tr> |
186 | 186 | <tr> |
187 | 187 | <th>No Cache</th> |
188 | <td>9796296.611</td> | |
188 | <td>11982049.168</td> | |
189 | 189 | </tr> |
190 | 190 | <tr> |
191 | 191 | <th>Intern</th> |
192 | <td>14262839.973</td> | |
192 | <td>15280597.717</td> | |
193 | 193 | </tr> |
194 | 194 | <tr> |
195 | 195 | <th>ConcurrentMap (length limit)</th> |
196 | <td>10538757.220</td> | |
196 | <td>10812523.401</td> | |
197 | 197 | </tr> |
198 | 198 | <tr> |
199 | 199 | <th>ConcurrentMap (unlimited)</th> |
200 | <td>11252298.498</td> | |
200 | <td>12196204.773</td> | |
201 | 201 | </tr> |
202 | 202 | <tr> |
203 | 203 | <th>Sync'd WeakCache (length limit)</th> |
204 | <td>11298773.753</td> | |
204 | <td>11476639.041</td> | |
205 | 205 | </tr> |
206 | 206 | <tr> |
207 | 207 | <th>Sync'd WeakCache (unlimited)</th> |
208 | <td>11279714.685</td> | |
208 | <td>11346761.846</td> | |
209 | 209 | </tr> |
210 | 210 | </table> |
211 | 211 | |
246 | 246 | </tr> |
247 | 247 | <tr> |
248 | 248 | <th>No Coding</th> |
249 | <td>3917564.563</td> | |
249 | <td>4212316.966</td> | |
250 | 250 | </tr> |
251 | 251 | <tr> |
252 | 252 | <th>Dollar Coding</th> |
253 | <td>4570684.356</td> | |
253 | <td>4843325.489</td> | |
254 | 254 | </tr> |
255 | 255 | <tr> |
256 | 256 | <th>Escaped Underscore Coding</th> |
257 | <td>6322642.927</td> | |
257 | <td>6496347.261</td> | |
258 | 258 | </tr> |
259 | 259 | <tr> |
260 | 260 | <th>Cached Escaped Underscore Coding</th> |
261 | <td>4339193.305</td> | |
261 | <td>4708590.172</td> | |
262 | 262 | </tr> |
263 | 263 | <tr> |
264 | 264 | <th>XML Friendly Coding</th> |
265 | <td>5102368.550</td> | |
265 | <td>5122809.546</td> | |
266 | 266 | </tr> |
267 | 267 | </table> |
268 | 268 |
0 | 0 | <html> |
1 | 1 | <!-- |
2 | 2 | Copyright (C) 2005, 2006 Joe Walnes. |
3 | Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 XStream committers. | |
3 | Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022 XStream committers. | |
4 | 4 | All rights reserved. |
5 | 5 | |
6 | 6 | The software in this package is published under the terms of the BSD |
14 | 14 | </head> |
15 | 15 | <body> |
16 | 16 | |
17 | <p>Changes are split into three categories:</p> | |
17 | <p>Changes are split into following categories:</p> | |
18 | 18 | |
19 | 19 | <ul> |
20 | 20 | <li><b>Major changes</b>: The major new features that all users should know about.</li> |
21 | 21 | <li><b>Minor changes</b>: Any smaller changes, including bugfixes.</li> |
22 | <li><b>Stream Compatibility</b>: Changes affecting the persisted data.</li> | |
22 | 23 | <li><b>API changes</b>: Any changes to the API that could impact existing users.</li> |
23 | 24 | </ul> |
24 | 25 | |
32 | 33 | |
33 | 34 | <p>Not yet released.</p> |
34 | 35 | --> |
36 | ||
37 | <h1 id="1.4.19">1.4.19</h1> | |
38 | ||
39 | <p>Released January 29, 2022.</p> | |
40 | ||
41 | <p class="highlight">This maintenance release addresses the security vulnerability | |
42 | <a href="CVE-2021-43859.html">CVE-2021-43859</a>, when unmarshalling highly recursive collections or maps causing a | |
43 | Denial of Service.</p> | |
44 | ||
45 | <h2>API changes</h2> | |
46 | ||
47 | <ul> | |
48 | <li>Added c.t.x.XStream.COLLECTION_UPDATE_LIMIT and c.t.x.XStream.COLLECTION_UPDATE_SECONDS.</li> | |
49 | <li>Added c.t.x.XStream.setCollectionUpdateLimit(int).</li> | |
50 | <li>Added c.t.x.core.SecurityUtils.</li> | |
51 | <li>Added c.t.x.security.AbstractSecurityException and c.t.x.security.InputManipulationException.</li> | |
52 | <li>c.t.x.security.InputManipulationException derives now from c.t.x.security.AbstractSecurityException.</li> | |
53 | </ul> | |
35 | 54 | |
36 | 55 | <h1 id="1.4.18">1.4.18</h1> |
37 | 56 | |
62 | 81 | |
63 | 82 | <ul> |
64 | 83 | <li>GHI:#233: Support serializable types with non-serializable parent with PureJavaReflectionConverter.</li> |
65 | </ul> | |
84 | </ul> | |
66 | 85 | |
67 | 86 | <h2>Stream compatibility</h2> |
68 | 87 |
0 | 0 | <html> |
1 | 1 | <!-- |
2 | 2 | Copyright (C) 2005, 2006 Joe Walnes. |
3 | Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2015, 2016, 2017, 2018, 2020, 2021 XStream committers. | |
3 | Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2015, 2016, 2017, 2018, 2020, 2021, 2022 XStream committers. | |
4 | 4 | All rights reserved. |
5 | 5 | |
6 | 6 | The software in this package is published under the terms of the BSD |
17 | 17 | |
18 | 18 | <p><a href="versioning.html">About XStream version numbers...</a></p> |
19 | 19 | |
20 | <h1 id="stable">Stable Version: <span class="version">1.4.18</span></h1> | |
20 | <h1 id="stable">Stable Version: <span class="version">1.4.19</span></h1> | |
21 | 21 | |
22 | 22 | <ul> |
23 | <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/1.4.18/xstream-distribution-1.4.18-bin.zip">Binary distribution:</a></b> | |
23 | <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/1.4.19/xstream-distribution-1.4.19-bin.zip">Binary distribution:</a></b> | |
24 | 24 | Contains the XStream jar files, the Hibernate and Benchmark modules and all the dependencies.</li> |
25 | <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/1.4.18/xstream-distribution-1.4.18-src.zip">Source distribution:</a></b> | |
25 | <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/1.4.19/xstream-distribution-1.4.19-src.zip">Source distribution:</a></b> | |
26 | 26 | Contains the complete XStream project as if checked out from the Subversion version tag.</li> |
27 | <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream/1.4.18/xstream-1.4.18.jar">XStream Core only:</a> | |
27 | <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream/1.4.19/xstream-1.4.19.jar">XStream Core only:</a> | |
28 | 28 | The xstream.jar only as it is downloaded automatically when it is referenced as Maven dependency.</b></li> |
29 | <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-hibernate/1.4.18/xstream-hibernate-1.4.18.jar">XStream Hibernate module:</a></b> | |
29 | <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-hibernate/1.4.19/xstream-hibernate-1.4.19.jar">XStream Hibernate module:</a></b> | |
30 | 30 | The xstream-hibernate.jar as it is downloaded automatically when it is referenced as Maven dependency.</li> |
31 | <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-jmh/1.4.18/xstream-jmh-1.4.18-app.zip">XStream JMH module:</a></b> | |
31 | <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-jmh/1.4.19/xstream-jmh-1.4.19-app.zip">XStream JMH module:</a></b> | |
32 | 32 | The xstream-jmh-app.zip as standalone application with start scripts and all required libraries.</li> |
33 | 33 | </ul> |
34 | 34 | |
40 | 40 | <div class="Source XML"><pre><dependency> |
41 | 41 | <groupId>com.thoughtworks.xstream</groupId> |
42 | 42 | <artifactId>xstream</artifactId> |
43 | <version>1.4.18</version> | |
43 | <version>1.4.19</version> | |
44 | 44 | </dependency></pre></div> |
45 | 45 | |
46 | 46 | <h1 id="previous-releases">Previous Releases</h1> |
0 | 0 | <html> |
1 | 1 | <!-- |
2 | 2 | Copyright (C) 2005, 2006 Joe Walnes. |
3 | Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 XStream committers. | |
3 | Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2022 XStream committers. | |
4 | 4 | All rights reserved. |
5 | 5 | |
6 | 6 | The software in this package is published under the terms of the BSD |
71 | 71 | starting with R25.1.0. Generally it works for all modern Java runtimes based on OpenJDK. Android basically supports |
72 | 72 | the enhanced mode as well as the Google Application Engine, but the latter's security model limits the types that |
73 | 73 | can be handled. Note, that an active SecurityManager might prevent the usage of the enhanced mode also.</p> |
74 | <p>Since Java 9 it is required to permit the now illegal access.</p> | |
74 | <p>Since Java 9 it is required to permit the now illegal access. For Java 17 see below.</p> | |
75 | 75 | |
76 | 76 | <!-- ...................................................... --> |
77 | 77 | <h2 id="Compatibility_enhanced_mode_advantage">What are the advantages of using enhanced mode over pure Java mode?</h2> |
78 | 78 | |
79 | <p>Currently it is not possible to recreate every instance of a type using the official Java API only. The enhanced mode uses some undocumented, but wide-spread | |
80 | available functionality to recreate such instances nevertheless. However, in a secured secured environment, older Java run times or a limited Java environment might | |
81 | prevent the usage of the enhanced mode and XStream uses the plain Java API as fallback. This mode has some restrictions though:</p> | |
79 | <p>Currently it is not possible to recreate every instance of a type using the official Java API only. The enhanced | |
80 | mode uses some undocumented, but wide-spread available functionality to recreate such instances nevertheless. However, | |
81 | in a secured secured environment, older Java run times or a limited Java environment might prevent the usage of the | |
82 | enhanced mode and XStream uses the plain Java API as fallback. This mode has some restrictions though:</p> | |
82 | 83 | |
83 | 84 | <table summary="Comparison of pure Java and enhanced mode"> |
84 | 85 | <tr><th>Feature</th><th>Pure Java</th><th>Enhanced Mode</th></tr> |
98 | 99 | |
99 | 100 | <p>Yes, this is normal. A big part of XStream is reflection based and there is currently no replacement for the |
100 | 101 | complete required functionality. You will have to permit this access currently, otherwise XStream will not work.</p> |
102 | ||
103 | <!-- ...................................................... --> | |
104 | <h2 id="Compatibility_cannot_access_from_unnamed_module">XStream fails since Java 17, because types in modules cannot be accessed from the unnamed module!</h2> | |
105 | ||
106 | <p>Again, this is normal. The reflection stuff is required to get all required information to recreate an instance of | |
107 | a Java type at unmarshalling time. However, since Java 17 it is no longer possible to allow this access with a single | |
108 | runtime option. You have to open all packages of the individual modules for the unnamed module with the option | |
109 | <i>--add-opens</i>, where XStream requires access, e.g. <i>--add-opens java.base/java.util=ALL-UNNAMED</i></p> | |
101 | 110 | |
102 | 111 | <!-- ...................................................... --> |
103 | 112 | <h2 id="Compatibility_no_module">Why does XStream not even declare an automated module name?</h2> |
0 | 0 | <html> |
1 | 1 | <!-- |
2 | 2 | Copyright (C) 2005, 2006 Joe Walnes. |
3 | Copyright (C) 2006, 2007, 2008, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020, 2021 XStream committers. | |
3 | Copyright (C) 2006, 2007, 2008, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020, 2021, 2022 XStream committers. | |
4 | 4 | All rights reserved. |
5 | 5 | |
6 | 6 | The software in this package is published under the terms of the BSD |
72 | 72 | |
73 | 73 | <h1 id="news">Latest News</h1> |
74 | 74 | |
75 | <h2 id="release"><b>August 22, 2021</b> XStream 1.4.18 released</h2> | |
75 | <h2 id="1.4.19"><b>January 29, 2022</b> XStream 1.4.19 released</h2> | |
76 | 76 | |
77 | <p class="highlight">This maintenance release addresses the security vulnerabilities | |
78 | <a href="CVE-2021-39139.html">CVE-2021-39139</a>, | |
79 | <a href="CVE-2021-39140.html">CVE-2021-39140</a>, | |
80 | <a href="CVE-2021-39141.html">CVE-2021-39141</a>, | |
81 | <a href="CVE-2021-39144.html">CVE-2021-39144</a>, | |
82 | <a href="CVE-2021-39145.html">CVE-2021-39145</a>, | |
83 | <a href="CVE-2021-39146.html">CVE-2021-39146</a>, | |
84 | <a href="CVE-2021-39147.html">CVE-2021-39147</a>, | |
85 | <a href="CVE-2021-39148.html">CVE-2021-39148</a>, | |
86 | <a href="CVE-2021-39149.html">CVE-2021-39149</a>, | |
87 | <a href="CVE-2021-39150.html">CVE-2021-39150</a>, | |
88 | <a href="CVE-2021-39151.html">CVE-2021-39151</a>, | |
89 | <a href="CVE-2021-39152.html">CVE-2021-39152</a>, | |
90 | <a href="CVE-2021-39153.html">CVE-2021-39153</a>, and | |
91 | <a href="CVE-2021-39154.html">CVE-2021-39154</a>, when unmarshalling with an XStream instance using the default | |
92 | blacklist of an uninitialized security framework. XStream is therefore now using a whitelist by default.</p> | |
77 | <p class="highlight">This maintenance release addresses the security vulnerability | |
78 | <a href="CVE-2021-43859.html">CVE-2021-43859</a>, when unmarshalling highly recursive collections or maps causing a | |
79 | Denial of Service.</p> | |
93 | 80 | |
94 | 81 | <p>View the complete <a href="changes.html">change log</a> and <a href="download.html">download</a>.</p> |
95 | 82 |
0 | 0 | <html> |
1 | 1 | <!-- |
2 | 2 | Copyright (C) 2005, 2006 Joe Walnes. |
3 | Copyright (C) 2006, 2007, 2008, 2009, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020, 2021 XStream committers. | |
3 | Copyright (C) 2006, 2007, 2008, 2009, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020, 2021, 2022 XStream committers. | |
4 | 4 | All rights reserved. |
5 | 5 | |
6 | 6 | The software in this package is published under the terms of the BSD |
14 | 14 | </head> |
15 | 15 | |
16 | 16 | <body> |
17 | ||
18 | <h2 id="1.4.19"><b>January 29, 2022</b> XStream 1.4.19 released</h2> | |
19 | ||
20 | <p class="highlight">This maintenance release addresses the security vulnerability | |
21 | <a href="CVE-2021-43859.html">CVE-2021-43859</a>, when unmarshalling highly recursive collections or maps causing a | |
22 | Denial of Service.</p> | |
23 | ||
24 | <p>View the complete <a href="changes.html">change log</a> and <a href="download.html">download</a>.</p> | |
25 | ||
26 | <p>Note, the next major release 1.5 will require Java 8.</p> | |
17 | 27 | |
18 | 28 | <h2 id="1.4.18"><b>August 22, 2021</b> XStream 1.4.18 released</h2> |
19 | 29 |
29 | 29 | context of the server running the XStream process or cause a denial of service by crashing the application or |
30 | 30 | manage to enter an endless loop consuming 100% of CPU cycles.</p> |
31 | 31 | |
32 | <p class=highlight>Note: XStream supports other data formats than XML, e.g. JSON. Those formats can be used for | |
33 | the same attacks.</p> | |
32 | <p class=highlight>Note: XStream supports other data formats than XML, e.g. JSON. Those formats can usually be used | |
33 | for the same attacks.</p> | |
34 | 34 | |
35 | <p>Note, that the XML data can be manipulated on different levels. For example, manipulating values on existing | |
36 | objects (such as a price value), accessing private data, or breaking the format and causing the XML parser to fail. | |
37 | The latter case will raise an exception, but the former case must be handled by validity checks in any application | |
38 | which processes user-supplied XML.</p> | |
35 | <p>The XML data can be manipulated on different levels. For example, manipulating values on existing objects (such | |
36 | as a price value), accessing private data, or breaking the format and causing the XML parser to fail. The latter | |
37 | case will raise an exception, but the former case must be handled by validity checks in any application which | |
38 | processes user-supplied XML.</p> | |
39 | 39 | |
40 | 40 | <h2 id="CVEs">Documented Vulnerabilities</h2> |
41 | 41 | |
47 | 47 | <tr> |
48 | 48 | <th>CVE</th> |
49 | 49 | <th>Description</th> |
50 | </tr> | |
51 | <tr> | |
52 | <th>Version 1.4.18</th> | |
53 | <td></td> | |
54 | </tr> | |
55 | <tr> | |
56 | <th><a href="CVE-2021-43859.html">CVE-2021-43859</a></th> | |
57 | <td>XStream can cause a Denial of Service by injecting highly recursive collections or maps.</td> | |
50 | 58 | </tr> |
51 | 59 | <tr> |
52 | 60 | <th>Version 1.4.17</th> |
256 | 264 | <p class="hightlight">A blacklist for special classes only creates therefore a scenario for a false security, |
257 | 265 | because no-one can assure, that no other vulnerability is found. A better approach is the usage of a whitelist |
258 | 266 | i.e. the allowed class types are setup explicitly. This is the default for XStream 1.4.18 (see below).</p> |
267 | ||
268 | <p>XStream supports references to objects already occuring on the object graph in an earlier location. This allows | |
269 | an attacker to create a highly recursive object structure. Some collections or maps calculate the position of a | |
270 | member based on the data of the member itself. This is true for sorting collections or maps, but also for | |
271 | collections or maps based on the hash code of the individual members. The calculation time for the member's | |
272 | position can increase exponentially depending on the recursive depth of the structure and cause therefore a Denial | |
273 | of Service. Therefore XStream measures the time consumed to add an element to a collection or map since version | |
274 | 1.4.19. Normally this operation is performed in a view milliseconds, but if adding elements take longer than a | |
275 | second, then the time is accumulated and an exception is thrown if it exceeds a definable limit (20 seconds by | |
276 | default).</p> | |
259 | 277 | |
260 | 278 | <h2 id="explicit">Explicit Security</h2> |
261 | 279 | |
284 | 302 | <p class=highlight>Apart from value manipulations, this implementation still allows the injection of allowed |
285 | 303 | objects at wrong locations, e.g. inserting an integer into a list of strings.</p> |
286 | 304 | |
305 | <p>To avoid an attack based on the position of an element in a collection or map, you should also use XStream's | |
306 | default converters for 3rd party or own implementations of collections or maps. Own custom converters of such | |
307 | types should measure the time to add an element at deserialization time using the following sequence in the | |
308 | implementation of the unmarshal method:<div class="Source Java"> | |
309 | <pre>// unmarshal element of collection | |
310 | long now = System.currentTimeMillis(); | |
311 | // add element here, e.g. list.add(element); | |
312 | SecurityUtils.checkForCollectionDoSAttack(context, now); | |
313 | </pre></div></p> | |
314 | ||
287 | 315 | <h2 id="validation">XML Validation</h2> |
288 | 316 | |
289 | 317 | <p>XML itself supports input validation using a schema and a validating parser. With XStream, you can use e.g. a |
338 | 366 | <p>XStream provides some TypePermission implementations to allow any or no type at all, to allow primitive types |
339 | 367 | and their counterpart, null, array types, implementations match the name of the type by regular or wildcard |
340 | 368 | expression and one to invert a permission.</p> |
369 | ||
370 | <p class="highlight">Note: The examples below are <strong>examples</strong>. Some will or might enable types that | |
371 | are target of a security issue from above and are highlighted as dangerous.</p> | |
341 | 372 | |
342 | 373 | <table class="examplesTable" summary="Overview over all type permissions delivered with XStream"> |
343 | 374 | <!-- .................................................................................................. --> |
344 | 375 | <tr> |
345 | 376 | <th>Permission</th> |
346 | 377 | <th>Description</th> |
347 | <th>Example</th> | |
378 | <th width="33%">Example</th> | |
379 | <th width="33%">Default</th> | |
348 | 380 | </tr> |
349 | 381 | <tr> |
350 | 382 | <td><a href="javadoc/com/thoughtworks/xstream/security/AnyTypePermission.html">AnyTypePermission</a></td> |
351 | 383 | <td><b>Start a blacklist</b> and allow any type. A registration of this permission will wipe any prior one. |
352 | 384 | You may use the ANY instance directly. Note, that it is now in the responsibility of the developer to deny any |
353 | 385 | type that might be used for arbitrary code execution as described in the CVEs above.</td> |
354 | <td>addPermission(<i>AnyTypePermission.ANY</i>);</td> | |
386 | <td class="example danger">addPermission(<i>AnyTypePermission.ANY</i>);</td> | |
387 | <td>no</td> | |
355 | 388 | </tr> |
356 | 389 | <tr> |
357 | 390 | <td><a href="javadoc/com/thoughtworks/xstream/security/ArrayTypePermission.html">ArrayTypePermission</a></td> |
358 | 391 | <td>Allow any array type. You may use the ARRAYS instance directly.</td> |
359 | <td>addPermission(<i>ArrayTypePermission.ARRAYS</i>);</td> | |
392 | <td class="example">addPermission(<i>ArrayTypePermission.ARRAYS</i>);</td> | |
393 | <td>yes</td> | |
360 | 394 | </tr> |
361 | 395 | <tr> |
362 | 396 | <td><a href="javadoc/com/thoughtworks/xstream/security/CGLIBProxyTypePermission.html">CGLIBProxyTypePermission</a></td> |
363 | 397 | <td>Allow any CGLIB proxy type. You may use the PROXIES instance directly.</td> |
364 | <td>addPermission(<i>CGLIBProxyTypePermission.PROXIES</i>);</td> | |
398 | <td class="example danger">addPermission(<i>CGLIBProxyTypePermission.PROXIES</i>);</td> | |
399 | <td>no</td> | |
365 | 400 | </tr> |
366 | 401 | <tr> |
367 | 402 | <td><a href="javadoc/com/thoughtworks/xstream/security/ExplicitTypePermission.html">ExplicitTypePermission</a></td> |
368 | 403 | <td>Allow types explicitly by name.</td> |
369 | <td>allowTypes(new String[] {"<i>java.io.File</i>", "<i>java.lang.ProcessBuilder</i>"});<br/> | |
404 | <td class="example danger">allowTypes(new String[] {"<i>java.io.File</i>", "<i>java.lang.ProcessBuilder</i>"});<br/> | |
370 | 405 | allowTypes(new Class[] {<i>java.io.File.class</i>, <i>java.lang.ProcessBuilder.class</i>});</td> |
406 | <td>java.io.File, java.nio.charset.Charset, java.util.BitSet, java.lang.Class, java.lang.Object, | |
407 | java.lang.StackTraceElement, java.lang.String, java.lang.StringBuffer, java.lang.StringBuilder, java.net.URI, | |
408 | java.net.URL, java.sql.Date, java.sql.Time, java.sql.Timestamp, java.text.DecimalFormatSymbols, | |
409 | java.time.Duration, java.time.Instant, java.time.LocalDate, java.time.LocalDateTime, java.time.LocalTime, | |
410 | java.time.MonthDay, java.time.OffsetDateTime, java.time.OffsetTime, java.time.Period, java.time.Ser, | |
411 | java.time.Year, java.time.YearMonth, java.time.ZonedDateTime, java.time.chrono.HijrahDate, | |
412 | java.time.chrono.JapaneseDate, java.time.chrono.JapaneseEra, java.time.chrono.MinguoDate, java.time.chrono.Ser, | |
413 | java.time.chrono.ThaiBuddhistDate, java.time.temporal.ValueRange, java.time.temporal.WeekFields, | |
414 | java.util.Currency, java.util.Date, java.util.Locale, java.util.regex.Pattern, java.util.UUID</td> | |
371 | 415 | </tr> |
372 | 416 | <tr> |
373 | 417 | <td><a href="javadoc/com/thoughtworks/xstream/security/InterfaceTypePermission.html">InterfaceTypePermission</a></td> |
374 | 418 | <td>Allow any interface type. You may use the INTERFACES instance directly.</td> |
375 | <td>addPermission(<i>InterfaceTypePermission.INTERFACES</i>);</td> | |
419 | <td class="example">addPermission(<i>InterfaceTypePermission.INTERFACES</i>);</td> | |
420 | <td>yes</td> | |
376 | 421 | </tr> |
377 | 422 | <tr> |
378 | 423 | <td><a href="javadoc/com/thoughtworks/xstream/security/NoPermission.html">NoPermission</a></td> |
379 | 424 | <td>Invert any other permission. Instances of this type are used by XStream in the deny methods wrapping a permission.</td> |
380 | <td>denyPermission(<i>permissionInstance</i>);</td> | |
425 | <td class="example">denyPermission(<i>permissionInstance</i>);</td> | |
426 | <td>no</td> | |
381 | 427 | </tr> |
382 | 428 | <tr> |
383 | 429 | <td><a href="javadoc/com/thoughtworks/xstream/security/NoTypePermission.html">NoTypePermission</a></td> |
384 | 430 | <td><b>Start a whitelist</b> and allow no type. A registration of this permission will wipe any prior one. |
385 | 431 | You may use the NONE instance directly.</td> |
386 | <td>addPermission(<i>NoTypePermission.NONE</i>);</td> | |
432 | <td class="example">addPermission(<i>NoTypePermission.NONE</i>);</td> | |
433 | <td>yes</td> | |
387 | 434 | </tr> |
388 | 435 | <tr> |
389 | 436 | <td><a href="javadoc/com/thoughtworks/xstream/security/NullPermission.html">NullPermission</a></td> |
390 | 437 | <td>Allow null as type. You may use the NULL instance directly.</td> |
391 | <td>addPermission(<i>NullPermission.NULL</i>);</td> | |
438 | <td class="example">addPermission(<i>NullPermission.NULL</i>);</td> | |
439 | <td>yes</td> | |
392 | 440 | </tr> |
393 | 441 | <tr> |
394 | 442 | <td><a href="javadoc/com/thoughtworks/xstream/security/PrimitiveTypePermission.html">PrimitiveTypePermission</a></td> |
395 | 443 | <td>Allow any primitive type and its boxed counterpart (excluding void). You may use the PRIMITIVES instance |
396 | 444 | directly.</td> |
397 | <td>addPermission(<i>PrimitiveTypePermission.PRIMITIVES</i>);</td> | |
445 | <td class="example">addPermission(<i>PrimitiveTypePermission.PRIMITIVES</i>);</td> | |
446 | <td>yes</td> | |
398 | 447 | </tr> |
399 | 448 | <tr> |
400 | 449 | <td><a href="javadoc/com/thoughtworks/xstream/security/ProxyTypePermission.html">ProxyTypePermission</a></td> |
401 | 450 | <td>Allow any Java proxy type. You may use the PROXIES instance directly.</td> |
402 | <td>addPermission(<i>ProxyTypePermission.PROXIES</i>);</td> | |
451 | <td class="example">addPermission(<i>ProxyTypePermission.PROXIES</i>);</td> | |
452 | <td>no</td> | |
403 | 453 | </tr> |
404 | 454 | <tr> |
405 | 455 | <td><a href="javadoc/com/thoughtworks/xstream/security/RegExpTypePermission.html">RegExpTypePermission</a></td> |
406 | 456 | <td>Allow any type that matches with its name a regular expression.</td> |
407 | <td class="example">allowTypeByRegExp(new String[]{"<i>.*\\.core\\..*</i>", "<i>[^$]+</i>"});<br/> | |
408 | allowTypeByRegExp(new Pattern[]{Pattern.compile("<i>.*\\.core\\..*</i>"), Pattern.compile("<i>[^$]+</i>")});</td> | |
457 | <td class="example danger">allowTypesByRegExp(new String[]{"<i>.*\\.core\\..*</i>", "<i>[^$]+</i>"});<br/> | |
458 | allowTypesByRegExp(new Pattern[]{Pattern.compile("<i>.*\\.core\\..*</i>"), Pattern.compile("<i>[^$]+</i>")});</td> | |
459 | <td>–</td> | |
409 | 460 | </tr> |
410 | 461 | <tr> |
411 | 462 | <td><a href="javadoc/com/thoughtworks/xstream/security/TypeHierarchyPermission.html">TypeHierarchyPermission</a></td> |
412 | 463 | <td>Allow types of a hierarchy.</td> |
413 | <td>allowTypeHierarchy(<i>java.lang.Throwable.class</i>);</td> | |
464 | <td class="example">allowTypeHierarchy(<i>java.lang.Throwable.class</i>);</td> | |
465 | <td>java.lang.Enum, java.lang.Number, java.lang.Throwable, java.lang.reflect.Member, java.nio.file.Path, | |
466 | java.time.Clock, java.time.ZoneId, java.time.chrono.Chronology, java.util.Calendar, java.util.Collection, | |
467 | java.util.Map, java.util.Map.Entry, java.util.TimeZone</td> | |
414 | 468 | </tr> |
415 | 469 | <tr> |
416 | 470 | <td><a href="javadoc/com/thoughtworks/xstream/security/WildcardTypePermission.html">WildcardTypePermission</a></td> |
417 | 471 | <td>Allow any type that matches with its name a wildcard expression.</td> |
418 | <td>allowTypeByWildcard(new String[]{"<i>java.lang.*</i>", "<i>java.util.**"</i>});</td> | |
472 | <td class="example danger">allowTypesByWildcard(new String[]{"<i>java.lang.*</i>", "<i>java.util.**"</i>});</td> | |
473 | <td>–</td> | |
419 | 474 | </tr> |
420 | 475 | </table> |
421 | 476 | |
422 | 477 | <h2 id="example">Example Code Whitelist</h2> |
423 | 478 | |
424 | <p>XStream uses the AnyTypePermission by default, i.e. any type is accepted. You have to clear out this default | |
425 | and register your own permissions to activate the security framework (the Blog type is from the | |
479 | <p>XStream uses now the NoTypePermission by default with an internal whitelist. You can clear out this default | |
480 | and/or register your own permissions to adjust the security framework (the Blog type is from the | |
426 | 481 | <a href="alias-tutorial.html">Alias Tutorial</a>):</p> |
427 | 482 | <div class="Source Java"><pre>XStream xstream = new XStream(); |
428 | 483 | // clear out existing permissions and start a whitelist |
447 | 502 | <p>Users of XStream 1.4.17 who insist to use XStream default blacklist - despite that clear recommendation - can |
448 | 503 | add these lines to XStream's setup code:</p> |
449 | 504 | <div class="Source Java"><pre>xstream.denyTypesByWildcard(new String[]{ "sun.reflect.**", "sun.tracing.**", "com.sun.corba.**" }); |
450 | xstream.denyTypesByRegExp(new String[]{ ".*\\.ws\\.client\\.sei\\..*", ".*\\$ProxyLazyValue", "com\\.sun\\.jndi\\..*Enumerat(?:ion|tor),.*\\$URLData" }); | |
505 | xstream.denyTypesByRegExp(new String[]{ ".*\\.ws\\.client\\.sei\\..*", ".*\\$ProxyLazyValue", "com\\.sun\\.jndi\\..*Enumerat(?:ion|or)", ".*\\$URLData", ".*\\.xsltc\\.trax\\.TemplatesImpl" }); | |
451 | 506 | </pre></div> |
452 | 507 | |
453 | 508 | <p>Users of XStream 1.4.16 should add these lines and <strong>additionally</strong> the lines for version 1.4.17:</p> |
472 | 527 | scratch:</p> |
473 | 528 | <div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", "com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator" }); |
474 | 529 | xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class }); |
475 | xstream.denyTypesByRegExp(new String[]{ ".*\\$ServiceNameIterator", "javafx\\.collections\\.ObservableList\\$.*", ".*\\.bcel\\..*\\.util\\.ClassLoader", ".*\\$GetterSetterReflection", ".*\\$LazyIterator", ".*\\$PrivilegedGetter", ".*\\.ws\\.client\\.sei\\..*", ".*\\$ProxyLazyValue", "com\\.sun\\.jndi\\..*Enumerat(?:ion|tor)", ".*\\$URLData" }); | |
530 | ".*\\.xsltc\\.trax\\.TemplatesImpl"xstream.denyTypesByRegExp(new String[]{ ".*\\$ServiceNameIterator", "javafx\\.collections\\.ObservableList\\$.*", ".*\\.bcel\\..*\\.util\\.ClassLoader", ".*\\$GetterSetterReflection", ".*\\$LazyIterator", ".*\\$PrivilegedGetter", ".*\\.ws\\.client\\.sei\\..*", ".*\\$ProxyLazyValue", "com\\.sun\\.jndi\\..*Enumerat(?:ion|tor)", ".*\\$URLData", ".*\\.xsltc\\.trax\\.TemplatesImpl" }); | |
476 | 531 | xstream.denyTypesByWildcard(new String[]{ "sun.reflect.**", "sun.tracing.**", "com.sun.corba.**" }); |
477 | 532 | xstream.denyTypeHierarchy(java.io.InputStream.class); |
478 | 533 | xstream.denyTypeHierarchy(java.nio.channels.Channel.class); |
487 | 542 | return type != null |
488 | 543 | && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class || type == java.lang.Void.class || void.class |
489 | 544 | || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || type.getName().equals("sun.awt.datatransfer.DataTransferer$IndexOrderComparator") || type.getName().equals("com.sun.corba.se.impl.activation.ServerTableEntry") || type.getName().equals("com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator") |
490 | || type.getName().matches("javafx\\.collections\\.ObservableList\\$.*") || type.getName().matches(".*\\$ServiceNameIterator") || type.getName().matches(".*\\$GetterSetterReflection") || type.getName().matches(".*\\$LazyIterator") || type.getName().matches(".*\\$ProxyLazyValue") || type.getName().matches(".*\\.bcel\\..*\\.util\\.ClassLoader") || type.getName().matches(".*\\.ws\\.client\\.sei\\..*") || type.getName().matches("com\\.sun\\.jndi\\..*Enumerat(?:ion|tor)") || type.getName().matches(".*\\$URLData") | |
545 | || type.getName().matches("javafx\\.collections\\.ObservableList\\$.*") || type.getName().matches(".*\\$ServiceNameIterator") || type.getName().matches(".*\\$GetterSetterReflection") || type.getName().matches(".*\\$LazyIterator") || type.getName().matches(".*\\$ProxyLazyValue") || type.getName().matches(".*\\.bcel\\..*\\.util\\.ClassLoader") || type.getName().matches(".*\\.ws\\.client\\.sei\\..*") || type.getName().matches("com\\.sun\\.jndi\\..*Enumerat(?:ion|or)") | |
546 | || type.getName().endsWith(".$URLData") || type.getName().endsWith(".xsltc.trax.TemplatesImpl") | |
491 | 547 | || type.getName().startsWith("sun.reflect.") || type.getName().startsWith("sun.tracing.") || type.getName().startsWith("com.sun.corba.") |
492 | 548 | || java.io.InputStream.class.isAssignableFrom(type) || java.nio.channels.Channel.isAssignableFrom(type) || javax.activation.DataSource.isAssignableFrom(type) ||javax.sql.rowset.BaseRowSet.isAssignableFrom(type) |
493 | 549 | || Proxy.isProxy(type)); |
88 | 88 | <page>CVE-2021-39152.html</page> |
89 | 89 | <page>CVE-2021-39153.html</page> |
90 | 90 | <page>CVE-2021-39154.html</page> |
91 | <page>CVE-2021-43859.html</page> | |
91 | 92 | <page>CVE-2020-26217.html</page> |
92 | 93 | <page>CVE-2020-26258.html</page> |
93 | 94 | <page>CVE-2020-26259.html</page> |
0 | 0 | /* |
1 | 1 | Copyright (C) 2005, 2006 Joe Walnes. |
2 | Copyright (C) 2006, 2007 XStream committers. | |
2 | Copyright (C) 2006, 2007, 2021 XStream committers. | |
3 | 3 | All rights reserved. |
4 | 4 | |
5 | 5 | The software in this package is published under the terms of the BSD |
245 | 245 | padding: 0px; |
246 | 246 | border: 0px; |
247 | 247 | font-size: inherit; |
248 | line-spacing: 100%; | |
248 | line-height: 100%; | |
249 | 249 | } |
250 | 250 | |
251 | 251 | .highlight { |
252 | 252 | background-color: #e0f0e0; |
253 | 253 | border: 1px dotted #060; |
254 | 254 | padding: 5px; |
255 | } | |
256 | ||
257 | .danger { | |
258 | color: red; | |
259 | font-weight: bold; | |
255 | 260 | } |
256 | 261 | |
257 | 262 | /* The following are for images, but can also apply to div's containing images. */ |
0 | 0 | <?xml version="1.0"?><project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> |
1 | 1 | <!-- |
2 | Copyright (C) 2011, 2012, 2013, 2015, 2017 XStream committers. | |
2 | Copyright (C) 2011, 2012, 2013, 2015, 2017, 2022 XStream committers. | |
3 | 3 | All rights reserved. |
4 | 4 | |
5 | 5 | The software in this package is published under the terms of the BSD |
12 | 12 | <parent> |
13 | 13 | <groupId>com.thoughtworks.xstream</groupId> |
14 | 14 | <artifactId>xstream-parent</artifactId> |
15 | <version>1.4.18</version> | |
15 | <version>1.4.19</version> | |
16 | 16 | </parent> |
17 | 17 | <artifactId>xstream-hibernate</artifactId> |
18 | 18 | <packaging>jar</packaging> |
23 | 23 | |
24 | 24 | <profiles> |
25 | 25 | <profile> |
26 | <id>jdk19-ge</id> | |
26 | <id>jdk17-ge</id> | |
27 | 27 | <activation> |
28 | <jdk>[9,)</jdk> | |
28 | <jdk>[17,)</jdk> | |
29 | </activation> | |
30 | <properties> | |
31 | <surefire.argline>--add-opens java.base/java.lang=ALL-UNNAMED</surefire.argline> | |
32 | </properties> | |
33 | </profile> | |
34 | <profile> | |
35 | <id>jdk9-ge-jdk16</id> | |
36 | <activation> | |
37 | <jdk>[9,17)</jdk> | |
29 | 38 | </activation> |
30 | 39 | <properties> |
31 | 40 | <surefire.argline>--illegal-access=${surefire.illegal.access}</surefire.argline> |
32 | 41 | </properties> |
33 | 42 | </profile> |
34 | 43 | <profile> |
35 | <id>jdk18</id> | |
44 | <id>jdk8</id> | |
36 | 45 | <activation> |
37 | 46 | <jdk>1.8</jdk> |
38 | 47 | </activation> |
63 | 72 | </reporting> |
64 | 73 | </profile> |
65 | 74 | <profile> |
66 | <id>jdk16-ge</id> | |
75 | <id>jdk6-ge</id> | |
67 | 76 | <activation> |
68 | 77 | <jdk>[1.6,)</jdk> |
69 | 78 | </activation> |
2 | 2 | xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
3 | 3 | xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> |
4 | 4 | <!-- |
5 | Copyright (C) 2019, 2020 XStream committers. | |
5 | Copyright (C) 2019, 2020, 2022 XStream committers. | |
6 | 6 | All rights reserved. |
7 | 7 | |
8 | 8 | The software in this package is published under the terms of the BSD |
14 | 14 | <parent> |
15 | 15 | <artifactId>xstream-parent</artifactId> |
16 | 16 | <groupId>com.thoughtworks.xstream</groupId> |
17 | <version>1.4.12-SNAPSHOT</version> | |
17 | <version>1.4.19-SNAPSHOT</version> | |
18 | 18 | </parent> |
19 | 19 | <modelVersion>4.0.0</modelVersion> |
20 | 20 | <artifactId>xstream-its</artifactId> |
0 | 0 | <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> |
1 | 1 | <!-- |
2 | Copyright (C) 2015, 2017, 2020, 2021 XStream committers. | |
2 | Copyright (C) 2015, 2017, 2020, 2021, 2022 XStream committers. | |
3 | 3 | All rights reserved. |
4 | 4 | |
5 | 5 | The software in this package is published under the terms of the BSD |
12 | 12 | <parent> |
13 | 13 | <groupId>com.thoughtworks.xstream</groupId> |
14 | 14 | <artifactId>xstream-parent</artifactId> |
15 | <version>1.4.18</version> | |
15 | <version>1.4.19</version> | |
16 | 16 | </parent> |
17 | 17 | <artifactId>xstream-jmh</artifactId> |
18 | 18 | <packaging>jar</packaging> |
66 | 66 | </build> |
67 | 67 | </profile> |
68 | 68 | <profile> |
69 | <id>jdk18</id> | |
69 | <id>jdk8</id> | |
70 | 70 | <activation> |
71 | 71 | <jdk>1.8</jdk> |
72 | 72 | </activation> |
97 | 97 | </reporting> |
98 | 98 | </profile> |
99 | 99 | <profile> |
100 | <id>jdk17-le</id> | |
100 | <id>jdk7-le</id> | |
101 | 101 | <activation> |
102 | 102 | <jdk>(,1.7]</jdk> |
103 | 103 | </activation> |
0 | @echo off | |
1 | @REM Copyright (C) 2015 XStream Committers. | |
2 | @REM All rights reserved. | |
3 | @REM | |
4 | @REM The software in this package is published under the terms of the BSD | |
5 | @REM style license a copy of which has been included with this distribution in | |
6 | @REM the LICENSE.txt file. | |
7 | @REM | |
8 | @REM Created on 28. October 2015 by Joerg Schaible | |
9 | ||
10 | @REM Run XStream JMH | |
11 | if "%XSTREAM_SCRIPT_ECHO%"=="on" echo on | |
12 | ||
13 | if "%OS%"=="Windows_NT" @setlocal | |
14 | if "%OS%"=="WINNT" @setlocal | |
15 | ||
16 | @REM * Set title | |
17 | @REM *********** | |
18 | title ScalarisDMS | |
19 | ||
20 | @REM * Goto script root dir | |
21 | @REM ********************** | |
22 | cd /d %~dp0\.. | |
23 | ||
24 | @REM * Initialize environment | |
25 | @REM ************************ | |
26 | @REM JAVA_OPTS and APP_OPTS can be set from outside | |
27 | set JAVA_BIN= | |
28 | set APP_CP= | |
29 | ||
30 | @REM * Set Java executable | |
31 | @REM ********************* | |
32 | if not defined JAVA_EXE set JAVA_EXE=java.exe | |
33 | if "%JAVA_BIN%" NEQ "" if exist %JAVA_BIN% goto SetClassPath | |
34 | if defined JAVA_HOME if "%JAVA_HOME%" NEQ "" set JAVA_BIN=%JAVA_HOME%\bin\%JAVA_EXE% | |
35 | if exist %JAVA_BIN% goto SetClassPath | |
36 | if defined JDK_HOME if "%JDK_HOME%" NEQ "" set JAVA_BIN=%JDK_HOME%\jre\bin\%JAVA_EXE% | |
37 | if exist %JAVA_BIN% goto SetClassPath | |
38 | set JAVA_BIN=%JAVA_EXE% | |
39 | ||
40 | :SetClassPath | |
41 | @REM * Set class path | |
42 | @REM **************** | |
43 | for %%i in (lib\*.jar) do call :APP_CP_append %%i | |
44 | call :APP_CP_append "config" | |
45 | ||
46 | @REM * Set options | |
47 | @REM ************* | |
48 | set JAVA_OPTS=%JAVA_OPTS% -Xmx2048m -Xss4m | |
49 | ||
50 | ||
51 | @REM * Main class | |
52 | @REM ************ | |
53 | set MAIN_CLASS=org.openjdk.jmh.Main | |
54 | ||
55 | @REM * Run application | |
56 | @REM ***************** | |
57 | %JAVA_BIN% %JAVA_OPTS% %APP_DEFINES% -cp %APP_CP% %MAIN_CLASS% %APP_OPTS% %* | |
58 | ||
59 | ||
60 | if "%OS%"=="Windows_NT" @endlocal | |
61 | goto :EOF | |
62 | ||
63 | ||
64 | @REM *************** | |
65 | @REM * Sub functions | |
66 | @REM *************** | |
67 | ||
68 | :APP_CP_append | |
69 | set APP_CP=%APP_CP%;%1 | |
70 | goto :EOF | |
0 | @echo off | |
1 | @REM Copyright (C) 2015, 2022 XStream Committers. | |
2 | @REM All rights reserved. | |
3 | @REM | |
4 | @REM The software in this package is published under the terms of the BSD | |
5 | @REM style license a copy of which has been included with this distribution in | |
6 | @REM the LICENSE.txt file. | |
7 | @REM | |
8 | @REM Created on 28. October 2015 by Joerg Schaible | |
9 | ||
10 | @REM Run XStream JMH | |
11 | if "%XSTREAM_SCRIPT_ECHO%"=="on" echo on | |
12 | ||
13 | if "%OS%"=="Windows_NT" @setlocal | |
14 | if "%OS%"=="WINNT" @setlocal | |
15 | ||
16 | @REM * Set title | |
17 | @REM *********** | |
18 | title ScalarisDMS | |
19 | ||
20 | @REM * Goto script root dir | |
21 | @REM ********************** | |
22 | cd /d %~dp0\.. | |
23 | ||
24 | @REM * Initialize environment | |
25 | @REM ************************ | |
26 | @REM JAVA_OPTS and APP_OPTS can be set from outside | |
27 | set JAVA_BIN= | |
28 | set APP_CP= | |
29 | ||
30 | @REM * Set Java executable | |
31 | @REM ********************* | |
32 | if not defined JAVA_EXE set JAVA_EXE=java.exe | |
33 | if "%JAVA_BIN%" NEQ "" if exist %JAVA_BIN% goto SetClassPath | |
34 | if defined JAVA_HOME if "%JAVA_HOME%" NEQ "" set JAVA_BIN=%JAVA_HOME%\bin\%JAVA_EXE% | |
35 | if exist %JAVA_BIN% goto SetClassPath | |
36 | if defined JDK_HOME if "%JDK_HOME%" NEQ "" set JAVA_BIN=%JDK_HOME%\jre\bin\%JAVA_EXE% | |
37 | if exist %JAVA_BIN% goto SetClassPath | |
38 | set JAVA_BIN=%JAVA_EXE% | |
39 | ||
40 | :SetClassPath | |
41 | @REM * Set class path | |
42 | @REM **************** | |
43 | for %%i in (lib\*.jar) do call :APP_CP_append %%i | |
44 | call :APP_CP_append "config" | |
45 | ||
46 | @REM * Open modules for parsers using Java 17 or higher | |
47 | @REM ************* | |
48 | for /F "tokens=2 usebackq" %%j in (`%JAVA_BIN% -cp "%APP_CP%" com.thoughtworks.xstream.core.JVM ^| find "java.specification.version"`) DO SET JAVA_VERSION=%%j | |
49 | if %JAVA_VERSION% GEQ 17 set JAVA_OPTS=%JAVA_OPTS% --add-opens java.xml/com.sun.org.apache.xerces.internal.parsers=ALL-UNNAMED | |
50 | if %JAVA_VERSION% GEQ 17 set JAVA_OPTS=%JAVA_OPTS% --add-opens java.xml/com.sun.org.apache.xerces.internal.util=ALL-UNNAMED | |
51 | if %JAVA_VERSION% GEQ 17 set JAVA_OPTS=%JAVA_OPTS% --add-opens java.xml/com.sun.xml.internal.stream=ALL-UNNAMED | |
52 | ||
53 | @REM * Set options | |
54 | @REM ************* | |
55 | set JAVA_OPTS=%JAVA_OPTS% -Xmx2048m -Xss4m | |
56 | ||
57 | @REM * Main class | |
58 | @REM ************ | |
59 | set MAIN_CLASS=org.openjdk.jmh.Main | |
60 | ||
61 | @REM * Run application | |
62 | @REM ***************** | |
63 | %JAVA_BIN% %JAVA_OPTS% %APP_DEFINES% -cp %APP_CP% %MAIN_CLASS% %APP_OPTS% %* | |
64 | ||
65 | ||
66 | if "%OS%"=="Windows_NT" @endlocal | |
67 | goto :EOF | |
68 | ||
69 | ||
70 | @REM *************** | |
71 | @REM * Sub functions | |
72 | @REM *************** | |
73 | ||
74 | :APP_CP_append | |
75 | set APP_CP=%APP_CP%;%1 | |
76 | goto :EOF |
0 | 0 | #!/bin/sh |
1 | # Copyright (C) 2015 XStream Committers. | |
1 | # Copyright (C) 2015, 2022 XStream Committers. | |
2 | 2 | # All rights reserved. |
3 | 3 | # |
4 | 4 | # The software in this package is published under the terms of the BSD |
40 | 40 | APP_CP=$APP_CP:$i |
41 | 41 | done |
42 | 42 | |
43 | # * Open modules for parsers using Java 17 or higher | |
44 | # ************* | |
45 | JAVA_VERSION=`$JAVA_BIN -cp $APP_CP com.thoughtworks.xstream.core.JVM | grep "java.specification.version" | cut -d ' ' -f 2` | |
46 | if [[ $JAVA_VERSION -ge 17 ]]; then | |
47 | JAVA_OPTS="$JAVA_OPTS --add-opens java.xml/com.sun.org.apache.xerces.internal.parsers=ALL-UNNAMED" | |
48 | JAVA_OPTS="$JAVA_OPTS --add-opens java.xml/com.sun.org.apache.xerces.internal.util=ALL-UNNAMED" | |
49 | JAVA_OPTS="$JAVA_OPTS --add-opens java.xml/com.sun.xml.internal.stream=ALL-UNNAMED" | |
50 | fi | |
51 | ||
43 | 52 | # * Set options |
44 | 53 | # ************* |
45 | 54 | JAVA_OPTS="$JAVA_OPTS -Xmx2048m -Xss4m" |
0 | Benchmark (codec) (data) (driverFactory) (operation) Mode Cnt Score Error Units | |
1 | Base64Benchmark.run xstreamInternal small N/A encode avgt 16 422.691 ± 0.805 ns/op | |
2 | Base64Benchmark.run xstreamInternal small N/A decode avgt 16 401.744 ± 41.549 ns/op | |
3 | Base64Benchmark.run xstreamInternal medium N/A encode avgt 16 87980.151 ± 1758.463 ns/op | |
4 | Base64Benchmark.run xstreamInternal medium N/A decode avgt 16 90334.626 ± 272.486 ns/op | |
5 | Base64Benchmark.run xstreamInternal big N/A encode avgt 16 26829622.608 ± 219338.574 ns/op | |
6 | Base64Benchmark.run xstreamInternal big N/A decode avgt 16 25760733.427 ± 892724.693 ns/op | |
7 | Base64Benchmark.run dataTypeConverter small N/A encode avgt 16 116.452 ± 4.685 ns/op | |
8 | Base64Benchmark.run dataTypeConverter small N/A decode avgt 16 156.041 ± 0.232 ns/op | |
9 | Base64Benchmark.run dataTypeConverter medium N/A encode avgt 16 22025.833 ± 871.377 ns/op | |
10 | Base64Benchmark.run dataTypeConverter medium N/A decode avgt 16 29199.416 ± 1366.584 ns/op | |
11 | Base64Benchmark.run dataTypeConverter big N/A encode avgt 16 10173025.627 ± 14375.190 ns/op | |
12 | Base64Benchmark.run dataTypeConverter big N/A decode avgt 16 7645745.427 ± 378490.086 ns/op | |
13 | Base64Benchmark.run javaUtil small N/A encode avgt 16 113.013 ± 10.478 ns/op | |
14 | Base64Benchmark.run javaUtil small N/A decode avgt 16 83.877 ± 0.298 ns/op | |
15 | Base64Benchmark.run javaUtil medium N/A encode avgt 16 14425.936 ± 39.693 ns/op | |
16 | Base64Benchmark.run javaUtil medium N/A decode avgt 16 13846.668 ± 779.799 ns/op | |
17 | Base64Benchmark.run javaUtil big N/A encode avgt 16 6149989.342 ± 199233.302 ns/op | |
18 | Base64Benchmark.run javaUtil big N/A decode avgt 16 5342302.204 ± 18186.258 ns/op | |
19 | Base64Benchmark.run commonsCodec small N/A encode avgt 16 6390.608 ± 72.975 ns/op | |
20 | Base64Benchmark.run commonsCodec small N/A decode avgt 16 6385.171 ± 89.129 ns/op | |
21 | Base64Benchmark.run commonsCodec medium N/A encode avgt 16 68085.447 ± 138.335 ns/op | |
22 | Base64Benchmark.run commonsCodec medium N/A decode avgt 16 68183.900 ± 6315.687 ns/op | |
23 | Base64Benchmark.run commonsCodec big N/A encode avgt 16 29120324.467 ± 745830.065 ns/op | |
24 | Base64Benchmark.run commonsCodec big N/A decode avgt 16 22775668.935 ± 627458.817 ns/op | |
25 | Base64Benchmark.run migBase small N/A encode avgt 16 107.834 ± 0.218 ns/op | |
26 | Base64Benchmark.run migBase small N/A decode avgt 16 110.671 ± 5.789 ns/op | |
27 | Base64Benchmark.run migBase medium N/A encode avgt 16 19048.637 ± 1321.623 ns/op | |
28 | Base64Benchmark.run migBase medium N/A decode avgt 16 22464.136 ± 30.464 ns/op | |
29 | Base64Benchmark.run migBase big N/A encode avgt 16 10101223.925 ± 193350.342 ns/op | |
30 | Base64Benchmark.run migBase big N/A decode avgt 16 6967471.163 ± 405344.659 ns/op | |
0 | # JMH version: 1.21 | |
1 | # VM version: JDK 11.0.13, OpenJDK 64-Bit Server VM, 11.0.13+8 | |
2 | # VM invoker: /opt/openjdk-bin-11.0.13_p8/bin/java | |
3 | # VM options: -Xmx2048m -Xss4m | |
4 | # Warmup: 5 iterations, 10 s each | |
5 | # Measurement: 16 iterations, 10 s each | |
6 | # Timeout: 10 min per iteration | |
7 | # Threads: 4 threads, will synchronize iterations | |
8 | # Benchmark mode: Average time, time/op | |
9 | # Benchmark: com.thoughtworks.xstream.benchmark.jmh.Base64Benchmark | |
10 | ||
11 | Benchmark (codec) (data) (driverFactory) (operation) Mode Cnt Score Error Units | |
12 | Base64Benchmark.run xstreamInternal small N/A encode avgt 16 317.846 ± 10.973 ns/op | |
13 | Base64Benchmark.run xstreamInternal small N/A decode avgt 16 377.680 ± 21.156 ns/op | |
14 | Base64Benchmark.run xstreamInternal medium N/A encode avgt 16 98465.757 ± 5610.134 ns/op | |
15 | Base64Benchmark.run xstreamInternal medium N/A decode avgt 16 79392.274 ± 4716.703 ns/op | |
16 | Base64Benchmark.run xstreamInternal big N/A encode avgt 16 30390677.188 ± 934410.490 ns/op | |
17 | Base64Benchmark.run xstreamInternal big N/A decode avgt 16 27259197.002 ± 2069094.026 ns/op | |
18 | Base64Benchmark.run dataTypeConverter small N/A encode avgt 16 124.194 ± 6.328 ns/op | |
19 | Base64Benchmark.run dataTypeConverter small N/A decode avgt 16 122.598 ± 3.525 ns/op | |
20 | Base64Benchmark.run dataTypeConverter medium N/A encode avgt 16 21026.423 ± 658.662 ns/op | |
21 | Base64Benchmark.run dataTypeConverter medium N/A decode avgt 16 29866.717 ± 2025.820 ns/op | |
22 | Base64Benchmark.run dataTypeConverter big N/A encode avgt 16 10501691.522 ± 231137.592 ns/op | |
23 | Base64Benchmark.run dataTypeConverter big N/A decode avgt 16 7861959.972 ± 390429.038 ns/op | |
24 | Base64Benchmark.run javaUtil small N/A encode avgt 16 105.755 ± 9.011 ns/op | |
25 | Base64Benchmark.run javaUtil small N/A decode avgt 16 105.170 ± 9.459 ns/op | |
26 | Base64Benchmark.run javaUtil medium N/A encode avgt 16 15352.908 ± 681.790 ns/op | |
27 | Base64Benchmark.run javaUtil medium N/A decode avgt 16 14575.556 ± 1391.487 ns/op | |
28 | Base64Benchmark.run javaUtil big N/A encode avgt 16 6204528.259 ± 221575.512 ns/op | |
29 | Base64Benchmark.run javaUtil big N/A decode avgt 16 5536117.686 ± 50116.580 ns/op | |
30 | Base64Benchmark.run commonsCodec small N/A encode avgt 16 6073.407 ± 105.387 ns/op | |
31 | Base64Benchmark.run commonsCodec small N/A decode avgt 16 5925.544 ± 112.251 ns/op | |
32 | Base64Benchmark.run commonsCodec medium N/A encode avgt 16 65550.077 ± 5236.951 ns/op | |
33 | Base64Benchmark.run commonsCodec medium N/A decode avgt 16 63468.417 ± 2391.871 ns/op | |
34 | Base64Benchmark.run commonsCodec big N/A encode avgt 16 35735178.209 ± 747201.282 ns/op | |
35 | Base64Benchmark.run commonsCodec big N/A decode avgt 16 26102838.095 ± 1158179.239 ns/op | |
36 | Base64Benchmark.run migBase small N/A encode avgt 16 92.392 ± 1.986 ns/op | |
37 | Base64Benchmark.run migBase small N/A decode avgt 16 98.270 ± 4.536 ns/op | |
38 | Base64Benchmark.run migBase medium N/A encode avgt 16 21395.915 ± 1590.397 ns/op | |
39 | Base64Benchmark.run migBase medium N/A decode avgt 16 21835.719 ± 421.423 ns/op | |
40 | Base64Benchmark.run migBase big N/A encode avgt 16 9712102.955 ± 26042.252 ns/op | |
41 | Base64Benchmark.run migBase big N/A decode avgt 16 7459294.378 ± 450290.060 ns/op |
0 | # JMH version: 1.21 | |
1 | # VM version: JDK 11.0.13, OpenJDK 64-Bit Server VM, 11.0.13+8 | |
2 | # VM invoker: /opt/openjdk-bin-11.0.13_p8/bin/java | |
3 | # VM options: -Xmx2048m -Xss4m | |
4 | # Warmup: 5 iterations, 10 s each | |
5 | # Measurement: 16 iterations, 10 s each | |
6 | # Timeout: 10 min per iteration | |
7 | # Threads: 4 threads, will synchronize iterations | |
8 | # Benchmark mode: Average time, time/op | |
9 | # Benchmark: com.thoughtworks.xstream.benchmark.jmh.ConverterTypeBenchmark | |
10 | ||
0 | 11 | Benchmark Mode Cnt Score Error Units |
1 | ConverterTypeBenchmark.custom avgt 16 9324531.713 ± 12182.415 ns/op | |
2 | ConverterTypeBenchmark.javaBean avgt 16 19658157.449 ± 84554.958 ns/op | |
3 | ConverterTypeBenchmark.reflection avgt 16 20859870.075 ± 2470686.138 ns/op | |
12 | ConverterTypeBenchmark.custom avgt 16 9666231.183 ± 653048.972 ns/op | |
13 | ConverterTypeBenchmark.javaBean avgt 16 18907234.350 ± 361662.695 ns/op | |
14 | ConverterTypeBenchmark.reflection avgt 16 20777749.230 ± 1970979.445 ns/op |
0 | # JMH version: 1.21 | |
1 | # VM version: JDK 11.0.13, OpenJDK 64-Bit Server VM, 11.0.13+8 | |
2 | # VM invoker: /opt/openjdk-bin-11.0.13_p8/bin/java | |
3 | # VM options: -Xmx2048m -Xss4m | |
4 | # Warmup: 5 iterations, 10 s each | |
5 | # Measurement: 25 iterations, 10 s each | |
6 | # Timeout: 10 min per iteration | |
7 | # Threads: 4 threads, will synchronize iterations | |
8 | # Benchmark mode: Average time, time/op | |
9 | # Benchmark: com.thoughtworks.xstream.benchmark.jmh.NameCoderBenchmark | |
10 | ||
0 | 11 | Benchmark Mode Cnt Score Error Units |
1 | NameCoderBenchmark.cachedEscapedUnderscoreCoding avgt 25 4339193.305 ± 117708.908 ns/op | |
2 | NameCoderBenchmark.dollarCoding avgt 25 4570684.356 ± 169447.323 ns/op | |
3 | NameCoderBenchmark.escapedUnderscoreCoding avgt 25 6322642.927 ± 176678.518 ns/op | |
4 | NameCoderBenchmark.noCoding avgt 25 3917564.563 ± 150151.093 ns/op | |
5 | NameCoderBenchmark.xmlFriendlyCoding avgt 25 5102368.550 ± 129434.626 ns/op | |
12 | NameCoderBenchmark.cachedEscapedUnderscoreCoding avgt 25 4708590.172 ± 218745.678 ns/op | |
13 | NameCoderBenchmark.dollarCoding avgt 25 4843325.489 ± 291540.806 ns/op | |
14 | NameCoderBenchmark.escapedUnderscoreCoding avgt 25 6496347.261 ± 279498.799 ns/op | |
15 | NameCoderBenchmark.noCoding avgt 25 4212316.966 ± 243972.124 ns/op | |
16 | NameCoderBenchmark.xmlFriendlyCoding avgt 25 5122809.546 ± 219143.950 ns/op |
0 | # JMH version: 1.21 | |
1 | # VM version: JDK 11.0.13, OpenJDK 64-Bit Server VM, 11.0.13+8 | |
2 | # VM invoker: /opt/openjdk-bin-11.0.13_p8/bin/java | |
3 | # VM options: -Xmx2048m -Xss4m | |
4 | # Warmup: 5 iterations, 10 s each | |
5 | # Measurement: 15 iterations, 10 s each | |
6 | # Timeout: 10 min per iteration | |
7 | # Threads: 1 thread, will synchronize iterations | |
8 | # Benchmark mode: Average time, time/op | |
9 | # Benchmark: com.thoughtworks.xstream.benchmark.jmh.ParserBenchmark | |
10 | ||
0 | 11 | Benchmark (driverFactory) Mode Cnt Score Error Units |
1 | ParserBenchmark.parseBigText MXParser avgt 15 2131602.489 ± 25703.664 ns/op | |
2 | ParserBenchmark.parseBigText Xpp3 avgt 15 2084284.951 ± 14376.744 ns/op | |
3 | ParserBenchmark.parseBigText kXML2 avgt 15 3561706.234 ± 28443.949 ns/op | |
4 | ParserBenchmark.parseBigText JDKStax avgt 15 8450930.541 ± 114260.574 ns/op | |
5 | ParserBenchmark.parseBigText Woodstox avgt 15 1959085.951 ± 4958.052 ns/op | |
6 | ParserBenchmark.parseBigText BEAStax avgt 15 3182516.188 ± 38272.584 ns/op | |
7 | ParserBenchmark.parseBigText DOM avgt 15 10568442.558 ± 153957.726 ns/op | |
8 | ParserBenchmark.parseBigText DOM4J avgt 15 8543670.534 ± 35374.800 ns/op | |
9 | ParserBenchmark.parseBigText JDom avgt 15 6379300.940 ± 39285.532 ns/op | |
10 | ParserBenchmark.parseBigText JDom2 avgt 15 5929805.928 ± 118564.329 ns/op | |
11 | ParserBenchmark.parseBigText Xom avgt 15 7968868.873 ± 26730.256 ns/op | |
12 | ParserBenchmark.parseBigText Binary avgt 15 1065228.134 ± 5642.331 ns/op | |
13 | ParserBenchmark.parseBigText Jettison avgt 15 3682704.689 ± 56568.770 ns/op | |
14 | ParserBenchmark.parseManyChildren MXParser avgt 15 814691.675 ± 3495.652 ns/op | |
15 | ParserBenchmark.parseManyChildren Xpp3 avgt 15 754593.348 ± 16963.908 ns/op | |
16 | ParserBenchmark.parseManyChildren kXML2 avgt 15 855787.083 ± 2364.443 ns/op | |
17 | ParserBenchmark.parseManyChildren JDKStax avgt 15 885917.070 ± 27740.420 ns/op | |
18 | ParserBenchmark.parseManyChildren Woodstox avgt 15 630843.461 ± 16713.507 ns/op | |
19 | ParserBenchmark.parseManyChildren BEAStax avgt 15 667706.032 ± 11089.959 ns/op | |
20 | ParserBenchmark.parseManyChildren DOM avgt 15 59894584.643 ± 305491.167 ns/op | |
21 | ParserBenchmark.parseManyChildren DOM4J avgt 15 79125701.566 ± 1579465.065 ns/op | |
22 | ParserBenchmark.parseManyChildren JDom avgt 15 6887733.303 ± 102619.220 ns/op | |
23 | ParserBenchmark.parseManyChildren JDom2 avgt 15 9876176.832 ± 48837.176 ns/op | |
24 | ParserBenchmark.parseManyChildren Xom avgt 15 34141742.595 ± 475598.891 ns/op | |
25 | ParserBenchmark.parseManyChildren Binary avgt 15 405493.660 ± 4239.044 ns/op | |
26 | ParserBenchmark.parseManyChildren Jettison avgt 15 601803.834 ± 2160.122 ns/op | |
27 | ParserBenchmark.parseNestedElements MXParser avgt 15 13287597.794 ± 343543.709 ns/op | |
28 | ParserBenchmark.parseNestedElements Xpp3 avgt 15 13056389.184 ± 132562.496 ns/op | |
29 | ParserBenchmark.parseNestedElements kXML2 avgt 15 36819091.742 ± 300358.967 ns/op | |
30 | ParserBenchmark.parseNestedElements JDKStax avgt 15 868883.676 ± 15697.149 ns/op | |
31 | ParserBenchmark.parseNestedElements Woodstox avgt 15 835465.393 ± 19498.030 ns/op | |
32 | ParserBenchmark.parseNestedElements BEAStax avgt 15 603986.803 ± 2529.449 ns/op | |
33 | ParserBenchmark.parseNestedElements DOM avgt 15 5382390.375 ± 82043.169 ns/op | |
34 | ParserBenchmark.parseNestedElements DOM4J avgt 15 5372787.809 ± 127206.586 ns/op | |
35 | ParserBenchmark.parseNestedElements JDom avgt 15 13598531.633 ± 96889.652 ns/op | |
36 | ParserBenchmark.parseNestedElements JDom2 avgt 15 12503949.903 ± 502488.951 ns/op | |
37 | ParserBenchmark.parseNestedElements Xom avgt 15 5425911.128 ± 23777.824 ns/op | |
38 | ParserBenchmark.parseNestedElements Binary avgt 15 284620.649 ± 1734.011 ns/op | |
39 | ParserBenchmark.parseNestedElements Jettison avgt 15 678187.271 ± 19300.714 ns/op | |
12 | ParserBenchmark.parseBigText MXParser N/A avgt 15 2090782.658 ± 35357.342 ns/op | |
13 | ParserBenchmark.parseBigText Xpp3 N/A avgt 15 2112720.726 ± 16553.078 ns/op | |
14 | ParserBenchmark.parseBigText kXML2 N/A avgt 15 3524809.724 ± 19870.806 ns/op | |
15 | ParserBenchmark.parseBigText JDKStax N/A avgt 15 8377577.926 ± 106615.592 ns/op | |
16 | ParserBenchmark.parseBigText Woodstox N/A avgt 15 2048393.986 ± 17640.070 ns/op | |
17 | ParserBenchmark.parseBigText BEAStax N/A avgt 15 3229409.245 ± 10436.313 ns/op | |
18 | ParserBenchmark.parseBigText DOM N/A avgt 15 10553104.053 ± 149802.579 ns/op | |
19 | ParserBenchmark.parseBigText DOM4J N/A avgt 15 8344385.552 ± 43187.879 ns/op | |
20 | ParserBenchmark.parseBigText JDom N/A avgt 15 6347929.561 ± 15207.545 ns/op | |
21 | ParserBenchmark.parseBigText JDom2 N/A avgt 15 5843003.401 ± 81856.524 ns/op | |
22 | ParserBenchmark.parseBigText Xom N/A avgt 15 7986743.807 ± 76081.180 ns/op | |
23 | ParserBenchmark.parseBigText Binary N/A avgt 15 1111084.176 ± 25347.556 ns/op | |
24 | ParserBenchmark.parseBigText Jettison N/A avgt 15 3617569.912 ± 52394.798 ns/op | |
25 | ParserBenchmark.parseManyChildren MXParser N/A avgt 15 687905.727 ± 736.978 ns/op | |
26 | ParserBenchmark.parseManyChildren Xpp3 N/A avgt 15 701583.341 ± 8292.747 ns/op | |
27 | ParserBenchmark.parseManyChildren kXML2 N/A avgt 15 902275.516 ± 13722.210 ns/op | |
28 | ParserBenchmark.parseManyChildren JDKStax N/A avgt 15 700802.493 ± 1296.971 ns/op | |
29 | ParserBenchmark.parseManyChildren Woodstox N/A avgt 15 592419.675 ± 676.287 ns/op | |
30 | ParserBenchmark.parseManyChildren BEAStax N/A avgt 15 713536.588 ± 9727.196 ns/op | |
31 | ParserBenchmark.parseManyChildren DOM N/A avgt 15 58632015.971 ± 434065.687 ns/op | |
32 | ParserBenchmark.parseManyChildren DOM4J N/A avgt 15 78757514.580 ± 102828.225 ns/op | |
33 | ParserBenchmark.parseManyChildren JDom N/A avgt 15 7102275.757 ± 107146.438 ns/op | |
34 | ParserBenchmark.parseManyChildren JDom2 N/A avgt 15 9827411.961 ± 41027.737 ns/op | |
35 | ParserBenchmark.parseManyChildren Xom N/A avgt 15 33930673.083 ± 35947.337 ns/op | |
36 | ParserBenchmark.parseManyChildren Binary N/A avgt 15 402398.155 ± 6888.370 ns/op | |
37 | ParserBenchmark.parseManyChildren Jettison N/A avgt 15 670870.406 ± 3751.317 ns/op | |
38 | ParserBenchmark.parseNestedElements MXParser N/A avgt 15 12616894.304 ± 19439.058 ns/op | |
39 | ParserBenchmark.parseNestedElements Xpp3 N/A avgt 15 13007586.291 ± 205203.155 ns/op | |
40 | ParserBenchmark.parseNestedElements kXML2 N/A avgt 15 35970087.264 ± 28849.980 ns/op | |
41 | ParserBenchmark.parseNestedElements JDKStax N/A avgt 15 1074253.465 ± 11588.851 ns/op | |
42 | ParserBenchmark.parseNestedElements Woodstox N/A avgt 15 725660.904 ± 11268.905 ns/op | |
43 | ParserBenchmark.parseNestedElements BEAStax N/A avgt 15 648266.777 ± 2120.991 ns/op | |
44 | ParserBenchmark.parseNestedElements DOM N/A avgt 15 5321471.291 ± 2935.512 ns/op | |
45 | ParserBenchmark.parseNestedElements DOM4J N/A avgt 15 5711026.345 ± 145819.473 ns/op | |
46 | ParserBenchmark.parseNestedElements JDom N/A avgt 15 16861677.394 ± 219174.474 ns/op | |
47 | ParserBenchmark.parseNestedElements JDom2 N/A avgt 15 12085612.224 ± 31108.386 ns/op | |
48 | ParserBenchmark.parseNestedElements Xom N/A avgt 15 5788240.908 ± 100434.947 ns/op | |
49 | ParserBenchmark.parseNestedElements Binary N/A avgt 15 315810.980 ± 3522.052 ns/op | |
50 | ParserBenchmark.parseNestedElements Jettison N/A avgt 15 735876.170 ± 904.031 ns/op |
0 | # JMH version: 1.21 | |
1 | # VM version: JDK 11.0.13, OpenJDK 64-Bit Server VM, 11.0.13+8 | |
2 | # VM invoker: /opt/openjdk-bin-11.0.13_p8/bin/java | |
3 | # VM options: -Xmx2048m -Xss4m | |
4 | # Warmup: 5 iterations, 10 s each | |
5 | # Measurement: 16 iterations, 10 s each | |
6 | # Timeout: 10 min per iteration | |
7 | # Threads: 4 threads, will synchronize iterations | |
8 | # Benchmark mode: Average time, time/op | |
9 | # Benchmark: com.thoughtworks.xstream.benchmark.jmh.StringConverterBenchmark | |
10 | ||
0 | 11 | Benchmark Mode Cnt Score Error Units |
1 | StringConverterBenchmark.intern avgt 16 14262839.973 ± 1233510.125 ns/op | |
2 | StringConverterBenchmark.limitedConcurrentMap avgt 16 10538757.220 ± 20805.104 ns/op | |
3 | StringConverterBenchmark.limitedSynchronizedWeakCache avgt 16 11298773.753 ± 13335.307 ns/op | |
4 | StringConverterBenchmark.nonCaching avgt 16 9796296.611 ± 668511.980 ns/op | |
5 | StringConverterBenchmark.unlimitedConcurrentMap avgt 16 11252298.498 ± 215637.373 ns/op | |
6 | StringConverterBenchmark.unlimitedSynchronizedWeakCache avgt 16 11279714.685 ± 22069.538 ns/op | |
12 | StringConverterBenchmark.intern avgt 16 15280597.717 ± 1118791.550 ns/op | |
13 | StringConverterBenchmark.limitedConcurrentMap avgt 16 10812523.401 ± 713378.073 ns/op | |
14 | StringConverterBenchmark.limitedSynchronizedWeakCache avgt 16 11476639.041 ± 222922.084 ns/op | |
15 | StringConverterBenchmark.nonCaching avgt 16 11982049.168 ± 977812.020 ns/op | |
16 | StringConverterBenchmark.unlimitedConcurrentMap avgt 16 12196204.773 ± 1159163.270 ns/op | |
17 | StringConverterBenchmark.unlimitedSynchronizedWeakCache avgt 16 11346761.846 ± 220066.395 ns/op |