Commit f18957e7-f4de-4bfb-81a8-e6128ff6be61/upstream - libxstream-java

+3

-0

.gitattributes less more

9	9	*.txt text
10	10	*.xml text
11	11
	12	*.cmd text eol=crlf
	13	*.sh text eol=lf
	14
12	15	*.gif binary
13	16	*.jpg binary
14	17	*.png binary

+1

-1

README.md less more

7	7	## Binaries
8	8	All binary artifacts are bundled in the -bin archive. It includes
9	9	the XStream jars and any other library used at build time, or
10		optional runtime extras. Xpp3 is recommend for use as it will
	10	optional runtime extras. MXParser is recommend for use as it will
11	11	greatly improve the performance of XStream.
12	12
13	13	## Documentation

+1

-1

README.txt less more

9	9
10	10	All binary artifacts are bundled in the -bin archive. It includes
11	11	the XStream jars and any other library used at build time, or
12		optional runtime extras. Xpp3 is recommend for use as it will
	12	optional runtime extras. MXParser is recommend for use as it will
13	13	greatly improve the performance of XStream.
14	14
15	15	--[ Documentation ]------------------------------------------

+18

-18

pom.xml less more

0	0	<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
1	1	<!--
2	2	Copyright (C) 2006 Joe Walnes.
3		Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2015, 2016, 2017, 2018, 2019, 2020, 2021 XStream committers.
	3	Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022 XStream committers.
4	4	All rights reserved.
5	5
6	6	The software in this package is published under the terms of the BSD

13	13	<groupId>com.thoughtworks.xstream</groupId>
14	14	<artifactId>xstream-parent</artifactId>
15	15	<packaging>pom</packaging>
16		<version>1.4.18</version>
	16	<version>1.4.19</version>
17	17	<name>XStream Parent</name>
18	18	<url>http://x-stream.github.io</url>
19	19	<description>

68	68	</properties>
69	69	</profile>
70	70	<profile>
71		<id>jdk18-ge</id>
	71	<id>jdk8-ge</id>
72	72	<activation>
73	73	<jdk>[1.8,)</jdk>
74	74	</activation>

78	78	</properties>
79	79	</profile>
80	80	<profile>
81		<id>jdk18</id>
	81	<id>jdk8</id>
82	82	<activation>
83	83	<jdk>1.8</jdk>
84	84	</activation>

88	88	</properties>
89	89	</profile>
90	90	<profile>
91		<id>jdk16</id>
	91	<id>jdk6</id>
92	92	<activation>
93	93	<jdk>1.6</jdk>
94	94	</activation>

98	98	</profile>
99	99	<profile>
100	100	<!-- build with Maven 3.2.5 !!! -->
101		<id>jdk16-ge</id>
	101	<id>jdk6-ge</id>
102	102	<activation>
103	103	<jdk>[1.6,)</jdk>
104	104	</activation>

110	110	</profile>
111	111	<profile>
112	112	<!-- build with Maven 3.0.5 !!! -->
113		<id>jdk15</id>
	113	<id>jdk5</id>
114	114	<activation>
115	115	<jdk>1.5</jdk>
116	116	</activation>

121	121	</profile>
122	122	<profile>
123	123	<!-- build with Maven 2.0.10 !!! -->
124		<id>jdk14</id>
	124	<id>jdk4</id>
125	125	<activation>
126	126	<jdk>1.4</jdk>
127	127	</activation>

409	409	<dependency>
410	410	<groupId>com.thoughtworks.xstream</groupId>
411	411	<artifactId>xstream</artifactId>
412		<version>1.4.18</version>
	412	<version>1.4.19</version>
413	413	</dependency>
414	414	<dependency>
415	415	<groupId>com.thoughtworks.xstream</groupId>
416	416	<artifactId>xstream</artifactId>
417		<version>1.4.18</version>
	417	<version>1.4.19</version>
418	418	<classifier>tests</classifier>
419	419	<type>test-jar</type>
420	420	<scope>test</scope>

422	422	<dependency>
423	423	<groupId>com.thoughtworks.xstream</groupId>
424	424	<artifactId>xstream</artifactId>
425		<version>1.4.18</version>
	425	<version>1.4.19</version>
426	426	<classifier>javadoc</classifier>
427	427	<scope>provided</scope>
428	428	</dependency>
429	429	<dependency>
430	430	<groupId>com.thoughtworks.xstream</groupId>
431	431	<artifactId>xstream-hibernate</artifactId>
432		<version>1.4.18</version>
	432	<version>1.4.19</version>
433	433	</dependency>
434	434	<dependency>
435	435	<groupId>com.thoughtworks.xstream</groupId>
436	436	<artifactId>xstream-hibernate</artifactId>
437		<version>1.4.18</version>
	437	<version>1.4.19</version>
438	438	<classifier>javadoc</classifier>
439	439	<scope>provided</scope>
440	440	</dependency>
441	441	<dependency>
442	442	<groupId>com.thoughtworks.xstream</groupId>
443	443	<artifactId>xstream-jmh</artifactId>
444		<version>1.4.18</version>
	444	<version>1.4.19</version>
445	445	</dependency>
446	446	<dependency>
447	447	<groupId>com.thoughtworks.xstream</groupId>
448	448	<artifactId>xstream-jmh</artifactId>
449		<version>1.4.18</version>
	449	<version>1.4.19</version>
450	450	<classifier>javadoc</classifier>
451	451	<scope>provided</scope>
452	452	</dependency>
453	453	<dependency>
454	454	<groupId>com.thoughtworks.xstream</groupId>
455	455	<artifactId>xstream-benchmark</artifactId>
456		<version>1.4.18</version>
	456	<version>1.4.19</version>
457	457	</dependency>
458	458	<dependency>
459	459	<groupId>com.thoughtworks.xstream</groupId>
460	460	<artifactId>xstream-benchmark</artifactId>
461		<version>1.4.18</version>
	461	<version>1.4.19</version>
462	462	<classifier>javadoc</classifier>
463	463	<scope>provided</scope>
464	464	</dependency>

968	968	<Bundle-Name>${project.name} Sources</Bundle-Name>
969	969	<Bundle-SymbolicName>${project.artifactId}.sources</Bundle-SymbolicName>
970	970	<Bundle-Vendor>${project.organization.name} Sources</Bundle-Vendor>
971		<Bundle-Version>${project.info.osgiVersion} Sources</Bundle-Version>
	971	<Bundle-Version>${project.info.osgiVersion}</Bundle-Version>
972	972	<Bundle-License>BSD-3-Clause</Bundle-License>
973	973	<Eclipse-SourceBundle>${project.artifactId};version=${project.info.osgiVersion}</Eclipse-SourceBundle>
974	974	<X-Compile-Source>${version.java.source}</X-Compile-Source>

+29

-14

xstream/pom.xml less more

0	0	<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
1	1	<!--
2	2	Copyright (C) 2006 Joe Walnes.
3		Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 XStream committers.
	3	Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022 XStream committers.
4	4	All rights reserved.
5	5
6	6	The software in this package is published under the terms of the BSD

13	13	<parent>
14	14	<groupId>com.thoughtworks.xstream</groupId>
15	15	<artifactId>xstream-parent</artifactId>
16		<version>1.4.18</version>
	16	<version>1.4.19</version>
17	17	</parent>
18	18	<artifactId>xstream</artifactId>
19	19	<packaging>jar</packaging>

258	258
259	259	<profiles>
260	260	<profile>
	261	<id>jdk17-ge</id>
	262	<activation>
	263	<jdk>[17,)</jdk>
	264	</activation>
	265	<properties>
	266	<surefire.argline>--add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED --add-opens java.base/java.time=ALL-UNNAMED --add-opens java.base/java.time.chrono=ALL-UNNAMED --add-opens java.base/java.lang.invoke=ALL-UNNAMED --add-opens java.base/java.lang.ref=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.base/javax.security.auth.x500=ALL-UNNAMED --add-opens java.base/sun.util.calendar=ALL-UNNAMED --add-opens java.desktop/java.beans=ALL-UNNAMED --add-opens java.desktop/java.awt=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED --add-opens java.desktop/javax.swing=ALL-UNNAMED --add-opens java.desktop/javax.swing.border=ALL-UNNAMED --add-opens java.desktop/javax.swing.event=ALL-UNNAMED --add-opens java.desktop/javax.swing.table=ALL-UNNAMED --add-opens java.desktop/javax.swing.plaf.basic=ALL-UNNAMED --add-opens java.desktop/javax.swing.plaf.metal=ALL-UNNAMED --add-opens java.desktop/javax.imageio=ALL-UNNAMED --add-opens java.desktop/javax.imageio.spi=ALL-UNNAMED --add-opens java.desktop/sun.swing=ALL-UNNAMED --add-opens java.desktop/sun.swing.table=ALL-UNNAMED --add-opens java.xml/javax.xml.datatype=ALL-UNNAMED --add-opens java.xml/com.sun.xml.internal.stream=ALL-UNNAMED --add-opens java.xml/com.sun.org.apache.xerces.internal.parsers=ALL-UNNAMED --add-opens java.xml/com.sun.org.apache.xerces.internal.util=ALL-UNNAMED</surefire.argline>
	267	</properties>
	268	</profile>
	269	<profile>
	270	<id>jdk11-ge-jdk16</id>
	271	<activation>
	272	<jdk>[11,17)</jdk>
	273	</activation>
	274	<properties>
	275	<surefire.argline>--illegal-access=${surefire.illegal.access}</surefire.argline>
	276	</properties>
	277	</profile>
	278	<profile>
261	279	<id>jdk11-ge</id>
262	280	<activation>
263	281	<jdk>[11,)</jdk>

277	295	</plugin>
278	296	</plugins>
279	297	</build>
280		<properties>
281		<surefire.argline>--illegal-access=${surefire.illegal.access}</surefire.argline>
282		</properties>
283	298	</profile>
284	299	<profile>
285	300	<id>jdk9-ge-jdk10</id>

291	306	</properties>
292	307	</profile>
293	308	<profile>
294		<id>jdk18-ge</id>
	309	<id>jdk8-ge</id>
295	310	<activation>
296	311	<jdk>[1.8,)</jdk>
297	312	</activation>

330	345	</configuration>
331	346	<executions>
332	347	<execution>
333		<id>compile-jdk15</id>
	348	<id>compile-jdk5</id>
334	349	<configuration>
335	350	<source>${version.java.5}</source>
336	351	<target>${version.java.5}</target>

350	365	</goals>
351	366	</execution>
352	367	<execution>
353		<id>compile-jdk18</id>
	368	<id>compile-jdk8</id>
354	369	<configuration>
355	370	<source>1.8</source>
356	371	<target>1.8</target>

368	383	</build>
369	384	</profile>
370	385	<profile>
371		<id>jdk18</id>
	386	<id>jdk8</id>
372	387	<activation>
373	388	<jdk>1.8</jdk>
374	389	</activation>

404	419	</reporting>
405	420	</profile>
406	421	<profile>
407		<id>jdk17</id>
	422	<id>jdk7</id>
408	423	<activation>
409	424	<jdk>1.7</jdk>
410	425	</activation>

442	457	</build>
443	458	</profile>
444	459	<profile>
445		<id>jdk16</id>
	460	<id>jdk6</id>
446	461	<activation>
447	462	<jdk>1.6</jdk>
448	463	</activation>

475	490	</build>
476	491	</profile>
477	492	<profile>
478		<id>jdk15</id>
	493	<id>jdk5</id>
479	494	<activation>
480	495	<jdk>1.5</jdk>
481	496	</activation>

510	525	</build>
511	526	</profile>
512	527	<profile>
513		<id>jdk16-ge</id>
	528	<id>jdk6-ge</id>
514	529	<activation>
515	530	<jdk>[1.6,)</jdk>
516	531	</activation>

550	565	</build>
551	566	</profile>
552	567	<profile>
553		<id>jdk14</id>
	568	<id>jdk4</id>
554	569	<activation>
555	570	<jdk>1.4</jdk>
556	571	</activation>

+41

-3

xstream/src/java/com/thoughtworks/xstream/XStream.java less more

0	0	/*
1	1	* Copyright (C) 2003, 2004, 2005, 2006 Joe Walnes.
2		* Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020, 2021 XStream Committers.
	2	* Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020, 2021, 2022 XStream Committers.
3	3	* All rights reserved.
4	4	*
5	5	* The software in this package is published under the terms of the BSD

150	150	import com.thoughtworks.xstream.mapper.XStream11XmlFriendlyMapper;
151	151	import com.thoughtworks.xstream.security.AnyTypePermission;
152	152	import com.thoughtworks.xstream.security.ArrayTypePermission;
	153	import com.thoughtworks.xstream.security.InputManipulationException;
153	154	import com.thoughtworks.xstream.security.ExplicitTypePermission;
154	155	import com.thoughtworks.xstream.security.InterfaceTypePermission;
155	156	import com.thoughtworks.xstream.security.NoPermission;

294	295
295	296	// CAUTION: The sequence of the fields is intentional for an optimal XML output of a
296	297	// self-serialization!
	298	private int collectionUpdateLimit = 20;
	299
297	300	private ReflectionProvider reflectionProvider;
298	301	private HierarchicalStreamDriver hierarchicalStreamDriver;
299	302	private ClassLoaderReference classLoaderReference;

327	330	public static final int PRIORITY_NORMAL = 0;
328	331	public static final int PRIORITY_LOW = -10;
329	332	public static final int PRIORITY_VERY_LOW = -20;
	333
	334	public static final String COLLECTION_UPDATE_LIMIT = "XStreamCollectionUpdateLimit";
	335	public static final String COLLECTION_UPDATE_SECONDS = "XStreamCollectionUpdateSeconds";
330	336
331	337	private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper";
332	338	private static final Pattern IGNORE_ALL = Pattern.compile(".*");

1182	1188	}
1183	1189
1184	1190	/**
	1191	* Set time limit for adding elements to collections or maps.
	1192	*
	1193	* Manipulated content may be used to create recursive hash code calculations or sort operations. An
	1194	* {@link InputManipulationException} is thrown, it the summed up time to add elements to collections or maps
	1195	* exceeds the provided limit.
	1196	*
	1197	* Note, that the time to add an individual element is calculated in seconds, not milliseconds. However, attacks
	1198	* typically use objects with exponential growing calculation times.
	1199	*
	1200	* @param maxSeconds limit in seconds or 0 to disable check
	1201	* @since 1.4.19
	1202	*/
	1203	public void setCollectionUpdateLimit(int maxSeconds) {
	1204	collectionUpdateLimit = maxSeconds;
	1205	}
	1206
	1207	/**
1185	1208	* Serialize an object to a pretty-printed XML String.
1186	1209	*
1187	1210	* @throws XStreamException if the object cannot be serialized

1387	1410	*/
1388	1411	public Object unmarshal(HierarchicalStreamReader reader, Object root, DataHolder dataHolder) {
1389	1412	try {
	1413	if (collectionUpdateLimit >= 0) {
	1414	if (dataHolder == null) {
	1415	dataHolder = new MapBackedDataHolder();
	1416	}
	1417	dataHolder.put(COLLECTION_UPDATE_LIMIT, new Integer(collectionUpdateLimit));
	1418	dataHolder.put(COLLECTION_UPDATE_SECONDS, new Integer(0));
	1419	}
1390	1420	return marshallingStrategy.unmarshal(root, reader, dataHolder, converterLookup, mapper);
1391	1421	} catch (ConversionException e) {
1392	1422	Package pkg = getClass().getPackage();

2052	2082	* @see #createObjectInputStream(com.thoughtworks.xstream.io.HierarchicalStreamReader)
2053	2083	* @since 1.4.10
2054	2084	*/
2055		public ObjectInputStream createObjectInputStream(final HierarchicalStreamReader reader, final DataHolder dataHolder)
	2085	public ObjectInputStream createObjectInputStream(final HierarchicalStreamReader reader, DataHolder dataHolder)
2056	2086	throws IOException {
	2087	if (collectionUpdateLimit >= 0) {
	2088	if (dataHolder == null) {
	2089	dataHolder = new MapBackedDataHolder();
	2090	}
	2091	dataHolder.put(COLLECTION_UPDATE_LIMIT, new Integer(collectionUpdateLimit));
	2092	dataHolder.put(COLLECTION_UPDATE_SECONDS, new Integer(0));
	2093	}
	2094	final DataHolder dh = dataHolder;
2057	2095	return new CustomObjectInputStream(new CustomObjectInputStream.StreamCallback() {
2058	2096	public Object readFromStream() throws EOFException {
2059	2097	if (!reader.hasMoreChildren()) {
2060	2098	throw new EOFException();
2061	2099	}
2062	2100	reader.moveDown();
2063		final Object result = unmarshal(reader, null, dataHolder);
	2101	final Object result = unmarshal(reader, null, dh);
2064	2102	reader.moveUp();
2065	2103	return result;
2066	2104	}

+5

-1

xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java less more

0	0	/*
1	1	* Copyright (C) 2003, 2004, 2005 Joe Walnes.
2		* Copyright (C) 2006, 2007, 2010, 2011, 2013, 2018 XStream Committers.
	2	* Copyright (C) 2006, 2007, 2010, 2011, 2013, 2018, 2021 XStream Committers.
3	3	* All rights reserved.
4	4	*
5	5	* The software in this package is published under the terms of the BSD

12	12
13	13	import com.thoughtworks.xstream.converters.MarshallingContext;
14	14	import com.thoughtworks.xstream.converters.UnmarshallingContext;
	15	import com.thoughtworks.xstream.core.SecurityUtils;
15	16	import com.thoughtworks.xstream.io.HierarchicalStreamReader;
16	17	import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
17	18	import com.thoughtworks.xstream.mapper.Mapper;

95	96	protected void addCurrentElementToCollection(HierarchicalStreamReader reader, UnmarshallingContext context,
96	97	Collection collection, Collection target) {
97	98	final Object item = readItem(reader, context, collection); // call readBareItem when deprecated method is removed
	99
	100	long now = System.currentTimeMillis();
98	101	target.add(item);
	102	SecurityUtils.checkForCollectionDoSAttack(context, now);
99	103	}
100	104
101	105	protected Object createCollection(Class type) {

+5

-1

xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java less more

0	0	/*
1	1	* Copyright (C) 2003, 2004, 2005 Joe Walnes.
2		* Copyright (C) 2006, 2007, 2008, 2010, 2011, 2012, 2013, 2018 XStream Committers.
	2	* Copyright (C) 2006, 2007, 2008, 2010, 2011, 2012, 2013, 2018, 2021 XStream Committers.
3	3	* All rights reserved.
4	4	*
5	5	* The software in this package is published under the terms of the BSD

12	12
13	13	import com.thoughtworks.xstream.converters.MarshallingContext;
14	14	import com.thoughtworks.xstream.converters.UnmarshallingContext;
	15	import com.thoughtworks.xstream.core.SecurityUtils;
15	16	import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamWriterHelper;
16	17	import com.thoughtworks.xstream.io.HierarchicalStreamReader;
17	18	import com.thoughtworks.xstream.io.HierarchicalStreamWriter;

103	104	Map map, Map target) {
104	105	final Object key = readCompleteItem(reader, context, map);
105	106	final Object value = readCompleteItem(reader, context, map);
	107
	108	long now = System.currentTimeMillis();
106	109	target.put(key, value);
	110	SecurityUtils.checkForCollectionDoSAttack(context, now);
107	111	}
108	112
109	113	protected Object createCollection(Class type) {

+4

-1

xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java less more

0	0	/*
1		* Copyright (C) 2013, 2016, 2018 XStream Committers.
	1	* Copyright (C) 2013, 2016, 2018, 2021 XStream Committers.
2	2	* All rights reserved.
3	3	*
4	4	* The software in this package is published under the terms of the BSD

20	20	import com.thoughtworks.xstream.converters.UnmarshallingContext;
21	21	import com.thoughtworks.xstream.converters.collections.MapConverter;
22	22	import com.thoughtworks.xstream.core.JVM;
	23	import com.thoughtworks.xstream.core.SecurityUtils;
23	24	import com.thoughtworks.xstream.core.util.HierarchicalStreams;
24	25	import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamWriterHelper;
25	26	import com.thoughtworks.xstream.io.HierarchicalStreamReader;

338	339	value = valueConverter.fromString(reader.getValue());
339	340	}
340	341
	342	long now = System.currentTimeMillis();
341	343	target.put(key, value);
	344	SecurityUtils.checkForCollectionDoSAttack(context, now);
342	345
343	346	if (entryName != null) {
344	347	reader.moveUp();

+56

-0

xstream/src/java/com/thoughtworks/xstream/core/SecurityUtils.java less more

	0	/*
	1	* Copyright (C) 2021, 2022 XStream Committers.
	2	* All rights reserved.
	3	*
	4	* The software in this package is published under the terms of the BSD
	5	* style license a copy of which has been included with this distribution in
	6	* the LICENSE.txt file.
	7	*
	8	* Created on 21. September 2021 by Joerg Schaible
	9	*/
	10	package com.thoughtworks.xstream.core;
	11
	12	import com.thoughtworks.xstream.XStream;
	13	import com.thoughtworks.xstream.converters.ConversionException;
	14	import com.thoughtworks.xstream.converters.UnmarshallingContext;
	15	import com.thoughtworks.xstream.security.InputManipulationException;
	16
	17
	18	/**
	19	* Utility functions for security issues.
	20	*
	21	* @author Jörg Schaible
	22	* @since 1.4.19
	23	*/
	24	public class SecurityUtils {
	25
	26	/**
	27	* Check the consumed time adding elements to collections or maps.
	28	*
	29	* Every custom converter should call this method after an unmarshalled element has been added to a collection or
	30	* map. In case of an attack the operation will take too long, because the calculation of the hash code or the
	31	* comparison of the elements in the collection operate on recursive structures.
	32	*
	33	* @param context the unmarshalling context
	34	* @param start the timestamp just before the element was added to the collection or map
	35	* @since 1.4.19
	36	*/
	37	public static void checkForCollectionDoSAttack(final UnmarshallingContext context, final long start) {
	38	final int diff = (int)((System.currentTimeMillis() - start) / 1000);
	39	if (diff > 0) {
	40	final Integer secondsUsed = (Integer)context.get(XStream.COLLECTION_UPDATE_SECONDS);
	41	if (secondsUsed != null) {
	42	final Integer limit = (Integer)context.get(XStream.COLLECTION_UPDATE_LIMIT);
	43	if (limit == null) {
	44	throw new ConversionException("Missing limit for updating collections.");
	45	}
	46	final int seconds = secondsUsed.intValue() + diff;
	47	if (seconds > limit.intValue()) {
	48	throw new InputManipulationException(
	49	"Denial of Service attack assumed. Adding elements to collections or maps exceeds " + limit.intValue() + " seconds.");
	50	}
	51	context.put(XStream.COLLECTION_UPDATE_SECONDS, new Integer(seconds));
	52	}
	53	}
	54	}
	55	}

+4

-5

xstream/src/java/com/thoughtworks/xstream/core/TreeMarshaller.java less more

0	0	/*
1	1	* Copyright (C) 2004, 2005, 2006 Joe Walnes.
2		* Copyright (C) 2006, 2007, 2009, 2011 XStream Committers.
	2	* Copyright (C) 2006, 2007, 2009, 2011, 2021 XStream Committers.
3	3	* All rights reserved.
4	4	*
5	5	* The software in this package is published under the terms of the BSD

20	20	import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamWriterHelper;
21	21	import com.thoughtworks.xstream.mapper.Mapper;
22	22
	23	import java.util.Collections;
23	24	import java.util.Iterator;
24	25
25	26

84	85	}
85	86
86	87	public Object get(Object key) {
87		lazilyCreateDataHolder();
88		return dataHolder.get(key);
	88	return dataHolder != null ? dataHolder.get(key) : null;
89	89	}
90	90
91	91	public void put(Object key, Object value) {

94	94	}
95	95
96	96	public Iterator keys() {
97		lazilyCreateDataHolder();
98		return dataHolder.keys();
	97	return dataHolder != null ? dataHolder.keys() : Collections.EMPTY_MAP.keySet().iterator();
99	98	}
100	99
101	100	private void lazilyCreateDataHolder() {

+7

-5

xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java less more

0	0	/*
1	1	* Copyright (C) 2004, 2005, 2006 Joe Walnes.
2		* Copyright (C) 2006, 2007, 2008, 2009, 2011, 2018 XStream Committers.
	2	* Copyright (C) 2006, 2007, 2008, 2009, 2011, 2018, 2021 XStream Committers.
3	3	* All rights reserved.
4	4	*
5	5	* The software in this package is published under the terms of the BSD

10	10	*/
11	11	package com.thoughtworks.xstream.core;
12	12
	13	import java.util.Collections;
13	14	import java.util.Iterator;
14	15
15	16	import com.thoughtworks.xstream.converters.ConversionException;

24	25	import com.thoughtworks.xstream.core.util.PrioritizedList;
25	26	import com.thoughtworks.xstream.io.HierarchicalStreamReader;
26	27	import com.thoughtworks.xstream.mapper.Mapper;
	28	import com.thoughtworks.xstream.security.AbstractSecurityException;
27	29
28	30
29	31	public class TreeUnmarshaller implements UnmarshallingContext {

72	74	} catch (final ConversionException conversionException) {
73	75	addInformationTo(conversionException, type, converter, parent);
74	76	throw conversionException;
	77	} catch (AbstractSecurityException e) {
	78	throw e;
75	79	} catch (RuntimeException e) {
76	80	ConversionException conversionException = new ConversionException(e);
77	81	addInformationTo(conversionException, type, converter, parent);

107	111	}
108	112
109	113	public Object get(Object key) {
110		lazilyCreateDataHolder();
111		return dataHolder.get(key);
	114	return dataHolder != null ? dataHolder.get(key) : null;
112	115	}
113	116
114	117	public void put(Object key, Object value) {

117	120	}
118	121
119	122	public Iterator keys() {
120		lazilyCreateDataHolder();
121		return dataHolder.keys();
	123	return dataHolder != null ? dataHolder.keys() : Collections.EMPTY_MAP.keySet().iterator();
122	124	}
123	125
124	126	private void lazilyCreateDataHolder() {

+4

-1

xstream/src/java/com/thoughtworks/xstream/core/util/SerializationMembers.java less more

0	0	/*
1	1	* Copyright (C) 2004, 2005 Joe Walnes.
2		* Copyright (C) 2006, 2007, 2008, 2010, 2011, 2014, 2015, 2016 XStream Committers.
	2	* Copyright (C) 2006, 2007, 2008, 2010, 2011, 2014, 2015, 2016, 2021 XStream Committers.
3	3	* All rights reserved.
4	4	*
5	5	* The software in this package is published under the terms of the BSD

154	154	} catch (IllegalAccessException e) {
155	155	ex = new ObjectAccessException("Cannot access method", e);
156	156	} catch (InvocationTargetException e) {
	157	Throwable cause = e.getTargetException();
	158	if (cause instanceof ConversionException)
	159	throw (ConversionException)cause;
157	160	ex = new ConversionException("Failed calling method", e.getTargetException());
158	161	}
159	162	if (ex != null) {

+29

-0

xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java less more

	0	/*
	1	* Copyright (C) 2021, 2022 XStream Committers.
	2	* All rights reserved.
	3	*
	4	* Created on 21. September 2021 by Joerg Schaible
	5	*/
	6	package com.thoughtworks.xstream.security;
	7
	8	import com.thoughtworks.xstream.XStreamException;
	9
	10
	11	/**
	12	* General base class for a Security Exception in XStream.
	13	*
	14	* @author Jörg Schaible
	15	* @since 1.4.19
	16	*/
	17	public abstract class AbstractSecurityException extends XStreamException {
	18	private static final long serialVersionUID = 20210921L;
	19
	20	/**
	21	* Constructs a SecurityException.
	22	* @param message the exception message
	23	* @since 1.4.19
	24	*/
	25	public AbstractSecurityException(final String message) {
	26	super(message);
	27	}
	28	}

+2

-4

xstream/src/java/com/thoughtworks/xstream/security/ForbiddenClassException.java less more

0	0	/*
1		* Copyright (C) 2014 XStream Committers.
	1	* Copyright (C) 2014, 2021 XStream Committers.
2	2	* All rights reserved.
3	3	*
4	4	* Created on 08. January 2014 by Joerg Schaible
5	5	*/
6	6	package com.thoughtworks.xstream.security;
7
8		import com.thoughtworks.xstream.XStreamException;
9	7
10	8	/**
11	9	* Exception thrown for a forbidden class.

13	11	* @author Jörg Schaible
14	12	* @since 1.4.7
15	13	*/
16		public class ForbiddenClassException extends XStreamException {
	14	public class ForbiddenClassException extends AbstractSecurityException {
17	15
18	16	/**
19	17	* Construct a ForbiddenClassException.

+27

-0

xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java less more

	0	/*
	1	* Copyright (C) 2021, 2022 XStream Committers.
	2	* All rights reserved.
	3	*
	4	* Created on 21. September 2021 by Joerg Schaible
	5	*/
	6	package com.thoughtworks.xstream.security;
	7
	8
	9	/**
	10	* Class for a Security Exception assuming input manipulation in XStream.
	11	*
	12	* @author Jörg Schaible
	13	* @since 1.4.19
	14	*/
	15	public class InputManipulationException extends AbstractSecurityException {
	16	private static final long serialVersionUID = 20210921L;
	17
	18	/**
	19	* Constructs a SecurityException.
	20	* @param message the exception message
	21	* @since 1.4.19
	22	*/
	23	public InputManipulationException(final String message) {
	24	super(message);
	25	}
	26	}

+123

-5

xstream/src/test/com/thoughtworks/acceptance/OmitFieldsTest.java less more

0	0	/*
1	1	* Copyright (C) 2005 Joe Walnes.
2		* Copyright (C) 2006, 2007, 2010, 2012, 2013, 2014, 2017 XStream Committers.
	2	* Copyright (C) 2006, 2007, 2010, 2012, 2013, 2014, 2017, 2021 XStream Committers.
3	3	* All rights reserved.
4	4	*
5	5	* The software in this package is published under the terms of the BSD

334	334	xstream.fromXML(actualXml.replaceAll("foobar", "unknown"));
335	335	fail("Thrown " + ConversionException.class.getName() + " expected");
336	336	} catch (final ConversionException e) {
337		String message = e.getMessage();
338		assertTrue(message,
339		e.getMessage().substring(0, message.indexOf('\n')).endsWith(
340		DerivedThing.class.getName() + ".unknown"));
	337	final String message = e.getMessage();
	338	assertTrue(message, e.getMessage().substring(0, message.indexOf('\n')).endsWith(DerivedThing.class.getName()
	339	+ ".unknown"));
341	340	}
342	341	}
343	342

402	401	assertEquals("c", out.neverIgnore);
403	402	assertNull(out.sometimesIgnore);
404	403	}
	404
	405	public static class Member {
	406	public String name;
	407	}
	408
	409	public static class Parent {
	410	public Member member;
	411	}
	412
	413	public static class Child extends Parent {
	414	public Member member;
	415
	416	public void setHidden(final Member member) {
	417	super.member = member;
	418	}
	419
	420	public Member getHidden() {
	421	return super.member;
	422	}
	423	}
	424
	425	public void testIgnoredHiddenElementsAreNotReferenced() {
	426	final Member member = new Member();
	427	member.name = "junit";
	428	final Child child = new Child();
	429	child.setHidden(child.member = member);
	430
	431	xstream.alias("child", Child.class);
	432	xstream.omitField(Child.class, "member");
	433
	434	final String expectedXml = ""
	435	+ "<child>\n"
	436	+ " <member>\n"
	437	+ " <name>junit</name>\n"
	438	+ " </member>\n"
	439	+ "</child>";
	440
	441	final String actualXml = xstream.toXML(child);
	442	assertEquals(expectedXml, actualXml);
	443
	444	final Child out = (Child)xstream.fromXML(expectedXml);
	445	assertNull(out.member);
	446	assertEquals("junit", out.getHidden().name);
	447	}
	448
	449	public static class Wrapper {
	450	public Member member;
	451	public Parent parent;
	452	}
	453
	454	public void testIgnoredElementsAreNotReferenced() {
	455	final Member member = new Member();
	456	member.name = "junit";
	457	final Parent parent = new Parent();
	458	final Wrapper wrapper = new Wrapper();
	459	parent.member = wrapper.member = member;
	460	wrapper.parent = parent;
	461
	462	xstream.alias("wrapper", Wrapper.class);
	463	xstream.omitField(Wrapper.class, "member");
	464
	465	final String expectedXml = ""
	466	+ "<wrapper>\n"
	467	+ " <parent>\n"
	468	+ " <member>\n"
	469	+ " <name>junit</name>\n"
	470	+ " </member>\n"
	471	+ " </parent>\n"
	472	+ "</wrapper>";
	473
	474	final String actualXml = xstream.toXML(wrapper);
	475	assertEquals(expectedXml, actualXml);
	476
	477	final Wrapper out = (Wrapper)xstream.fromXML(expectedXml);
	478	assertNull(out.member);
	479	assertEquals("junit", out.parent.member.name);
	480	}
	481
	482	public void testReferencedElementsCanBeOmitted() {
	483	final Member member = new Member();
	484	member.name = "junit";
	485	final Wrapper wrapper = new Wrapper();
	486	wrapper.member = member;
	487
	488	xstream.alias("wrapper", Wrapper.class);
	489	xstream.omitField(Wrapper.class, "member2");
	490
	491	final String expectedXml = ""
	492	+ "<wrapper>\n"
	493	+ " <member>\n"
	494	+ " <name>junit</name>\n"
	495	+ " </member>\n"
	496	+ " <member2 reference=\"../member\"/>\n"
	497	+ "</wrapper>";
	498
	499	final Wrapper out = (Wrapper)xstream.fromXML(expectedXml);
	500	assertEquals("junit", out.member.name);
	501	}
	502
	503	public void testReferencedElementsCanBeIgnored() {
	504	final Member member = new Member();
	505	member.name = "junit";
	506	final Wrapper wrapper = new Wrapper();
	507	wrapper.member = member;
	508
	509	xstream.alias("wrapper", Wrapper.class);
	510	xstream.ignoreUnknownElements();
	511
	512	final String expectedXml = ""
	513	+ "<wrapper>\n"
	514	+ " <member>\n"
	515	+ " <name>junit</name>\n"
	516	+ " </member>\n"
	517	+ " <member2 reference=\"../member\"/>\n"
	518	+ "</wrapper>";
	519
	520	final Wrapper out = (Wrapper)xstream.fromXML(expectedXml);
	521	assertEquals("junit", out.member.name);
	522	}
405	523	}

+150

-7

xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java less more

16	16	import java.io.IOException;
17	17	import java.io.InputStream;
18	18	import java.io.OutputStream;
	19	import java.util.HashMap;
	20	import java.util.HashSet;
	21	import java.util.Hashtable;
19	22	import java.util.Iterator;
20
21		import com.thoughtworks.xstream.XStreamException;
	23	import java.util.LinkedHashMap;
	24	import java.util.LinkedHashSet;
	25	import java.util.Map;
	26	import java.util.Set;
	27
22	28	import com.thoughtworks.xstream.converters.ConversionException;
23	29	import com.thoughtworks.xstream.core.JVM;
24	30	import com.thoughtworks.xstream.security.AnyTypePermission;
25	31	import com.thoughtworks.xstream.security.ForbiddenClassException;
	32	import com.thoughtworks.xstream.security.InputManipulationException;
26	33	import com.thoughtworks.xstream.security.ProxyTypePermission;
27	34
28	35

55	62
56	63	try {
57	64	xstream.fromXML(xml);
58		fail("Thrown " + XStreamException.class.getName() + " expected");
59		} catch (final XStreamException e) {
60		assertTrue(e.getMessage().indexOf(EventHandler.class.getName()) > 0);
	65	fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
	66	} catch (final ForbiddenClassException e) {
	67	// OK
61	68	}
62	69	assertEquals(0, BUFFER.length());
63	70	}

125	132	public void testInstanceOfVoid() {
126	133	try {
127	134	xstream.fromXML("<void/>");
128		fail("Thrown " + ConversionException.class.getName() + " expected");
	135	fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
129	136	} catch (final ForbiddenClassException e) {
130	137	// OK
131	138	}

162	169	xstream.aliasType("is", InputStream.class);
163	170	try {
164	171	xstream.fromXML(xml);
165		fail("Thrown " + ConversionException.class.getName() + " expected");
	172	fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
166	173	} catch (final ForbiddenClassException e) {
167	174	// OK
168	175	}

260	267	assertEquals("ArrayIndexOutOfBoundsException expected reading invalid stream", 5, i);
261	268	}
262	269	}
	270
	271	public void testDoSAttackWithHashSet() {
	272	final Set set = new HashSet();
	273	Set s1 = set;
	274	Set s2 = new HashSet();
	275	for (int i = 0; i < 30; i++) {
	276	final Set t1 = new HashSet();
	277	final Set t2 = new HashSet();
	278	t1.add("a");
	279	t2.add("b");
	280	s1.add(t1);
	281	s1.add(t2);
	282	s2.add(t2);
	283	s2.add(t1);
	284	s1 = t1;
	285	s2 = t2;
	286	}
	287
	288	xstream.setCollectionUpdateLimit(5);
	289	final String xml = xstream.toXML(set);
	290	try {
	291
	292	xstream.fromXML(xml);
	293	fail("Thrown " + InputManipulationException.class.getName() + " expected");
	294	} catch (final InputManipulationException e) {
	295	assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
	296	}
	297	}
	298
	299	public void testDoSAttackWithLinkedHashSet() {
	300	final Set set = new LinkedHashSet();
	301	Set s1 = set;
	302	Set s2 = new LinkedHashSet();
	303	for (int i = 0; i < 30; i++) {
	304	final Set t1 = new LinkedHashSet();
	305	final Set t2 = new LinkedHashSet();
	306	t1.add("a");
	307	t2.add("b");
	308	s1.add(t1);
	309	s1.add(t2);
	310	s2.add(t2);
	311	s2.add(t1);
	312	s1 = t1;
	313	s2 = t2;
	314	}
	315
	316	xstream.setCollectionUpdateLimit(5);
	317	final String xml = xstream.toXML(set);
	318	try {
	319	xstream.fromXML(xml);
	320	fail("Thrown " + InputManipulationException.class.getName() + " expected");
	321	} catch (final InputManipulationException e) {
	322	assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
	323	}
	324	}
	325
	326	public void testDoSAttackWithHashMap() {
	327	final Map map = new HashMap();
	328	Map m1 = map;
	329	Map m2 = new HashMap();
	330	for (int i = 0; i < 25; i++) {
	331	final Map t1 = new HashMap();
	332	final Map t2 = new HashMap();
	333	t1.put("a", "b");
	334	t2.put("c", "d");
	335	m1.put(t1, t2);
	336	m1.put(t2, t1);
	337	m2.put(t2, t1);
	338	m2.put(t1, t2);
	339	m1 = t1;
	340	m2 = t2;
	341	}
	342	xstream.setCollectionUpdateLimit(5);
	343
	344	final String xml = xstream.toXML(map);
	345	try {
	346	xstream.fromXML(xml);
	347	fail("Thrown " + InputManipulationException.class.getName() + " expected");
	348	} catch (InputManipulationException e) {
	349	assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
	350	}
	351	}
	352
	353	public void testDoSAttackWithLinkedHashMap() {
	354	final Map map = new LinkedHashMap();
	355	Map m1 = map;
	356	Map m2 = new LinkedHashMap();
	357	for (int i = 0; i < 25; i++) {
	358	final Map t1 = new LinkedHashMap();
	359	final Map t2 = new LinkedHashMap();
	360	t1.put("a", "b");
	361	t2.put("c", "d");
	362	m1.put(t1, t2);
	363	m1.put(t2, t1);
	364	m2.put(t2, t1);
	365	m2.put(t1, t2);
	366	m1 = t1;
	367	m2 = t2;
	368	}
	369
	370	xstream.setCollectionUpdateLimit(5);
	371	final String xml = xstream.toXML(map);
	372	try {
	373	xstream.fromXML(xml);
	374	fail("Thrown " + InputManipulationException.class.getName() + " expected");
	375	} catch (final InputManipulationException e) {
	376	assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
	377	}
	378	}
	379
	380	public void testDoSAttackWithHashtable() {
	381	final Map map = new Hashtable();
	382	Map m1 = map;
	383	Map m2 = new Hashtable();
	384	for (int i = 0; i < 100; i++) {
	385	final Map t1 = new Hashtable();
	386	final Map t2 = new Hashtable();
	387	t1.put("a", "b");
	388	t2.put("c", "d");
	389	m1.put(t1, t2);
	390	m1.put(t2, t1);
	391	m2.put(t2, t1);
	392	m2.put(t1, t2);
	393	m1 = t1;
	394	m2 = t2;
	395	}
	396
	397	xstream.setCollectionUpdateLimit(5);
	398	final String xml = xstream.toXML(map);
	399	try {
	400	xstream.fromXML(xml);
	401	fail("Thrown " + InputManipulationException.class.getName() + " expected");
	402	} catch (final InputManipulationException e) {
	403	assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
	404	}
	405	}
263	406	}

+4

-4

xstream-benchmark/pom.xml less more

0	0	<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
1	1	<!--
2	2	Copyright (C) 2006 Joe Walnes.
3		Copyright (C) 2006, 2007, 2009, 2011, 2012, 2013, 2017 XStream committers.
	3	Copyright (C) 2006, 2007, 2009, 2011, 2012, 2013, 2017, 2022 XStream committers.
4	4	All rights reserved.
5	5
6	6	The software in this package is published under the terms of the BSD

13	13	<parent>
14	14	<groupId>com.thoughtworks.xstream</groupId>
15	15	<artifactId>xstream-parent</artifactId>
16		<version>1.4.18</version>
	16	<version>1.4.19</version>
17	17	</parent>
18	18	<artifactId>xstream-benchmark</artifactId>
19	19	<packaging>jar</packaging>

22	22
23	23	<profiles>
24	24	<profile>
25		<id>jdk18</id>
	25	<id>jdk8</id>
26	26	<activation>
27	27	<jdk>1.8</jdk>
28	28	</activation>

57	57	</reporting>
58	58	</profile>
59	59	<profile>
60		<id>jdk16-ge</id>
	60	<id>jdk6-ge</id>
61	61	<activation>
62	62	<jdk>[1.6,)</jdk>
63	63	</activation>

+3

-3

xstream-distribution/pom.xml less more

0	0	<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
1	1	<!--
2	2	Copyright (C) 2006 Joe Walnes.
3		Copyright (C) 2006, 2007, 2008, 2009, 2011, 2012, 2013, 2015, 2016 XStream committers.
	3	Copyright (C) 2006, 2007, 2008, 2009, 2011, 2012, 2013, 2015, 2016, 2022 XStream committers.
4	4	All rights reserved.
5	5
6	6	The software in this package is published under the terms of the BSD

13	13	<parent>
14	14	<groupId>com.thoughtworks.xstream</groupId>
15	15	<artifactId>xstream-parent</artifactId>
16		<version>1.4.18</version>
	16	<version>1.4.19</version>
17	17	</parent>
18	18	<artifactId>xstream-distribution</artifactId>
19	19	<packaging>pom</packaging>

47	47
48	48	<profiles>
49	49	<profile>
50		<id>jdk18</id>
	50	<id>jdk8</id>
51	51	<activation>
52	52	<jdk>1.8</jdk>
53	53	</activation>

+1

-1

xstream-distribution/src/content/CVE-2020-26217.html less more

142	142	supported by Zhihong Tian and Hui Lu, both from Guangzhou University.</p>
143	143
144	144	</body>
145		</html>⏎
	145	</html>

+2

-1

xstream-distribution/src/content/CVE-2021-39147.html less more

237	237
238	238	<h2 id="credits">Credits</h2>
239	239
240		<p>wh1t3p1g G5-RD6@IIE found and reported the issue to XStream and provided the required information to reproduce it.</p>
	240	<p>wh1t3p1g from TSRC (Tencent Security Response Center) found and reported the issue to XStream and provided the
	241	required information to reproduce it.</p>
241	242
242	243	</body>
243	244	</html>

+2

-1

xstream-distribution/src/content/CVE-2021-39148.html less more

127	127
128	128	<h2 id="credits">Credits</h2>
129	129
130		<p>wh1t3p1g G5-RD6@IIE found and reported the issue to XStream and provided the required information to reproduce it.</p>
	130	<p>wh1t3p1g from TSRC (Tencent Security Response Center) found and reported the issue to XStream and provided the
	131	required information to reproduce it.</p>
131	132
132	133	</body>
133	134	</html>

+199

-0

xstream-distribution/src/content/CVE-2021-43859.html less more

	0	<html>
	1	<!--
	2	Copyright (C) 2021 XStream committers.
	3	All rights reserved.
	4
	5	The software in this package is published under the terms of the BSD
	6	style license a copy of which has been included with this distribution in
	7	the LICENSE.txt file.
	8
	9	Created on 23. December 2021 by Joerg Schaible
	10	-->
	11	<head>
	12	<title>CVE-2021-43859</title>
	13	</head>
	14	<body>
	15
	16	<h2 id="vulnerability">Vulnerability</h2>
	17
	18	<p>CVE-2021-43859: XStream can cause a Denial of Service by injecting highly recursive collections or maps.</p>
	19
	20	<h2 id="affected_versions">Affected Versions</h2>
	21
	22	<p>All versions until and including version 1.4.18 are affected.</p>
	23
	24	<h2 id="description">Description</h2>
	25
	26	<p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
	27	XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
	28	input stream and replace or inject objects, that result in exponential recursively hashcode calculation, causing a denial
	29	of service.</p>
	30
	31	<h2 id="reproduction">Steps to Reproduce</h2>
	32
	33	<p>The attack uses the hashcode implementation of collection types in the Java runtime. Following types are affected with
	34	lastest Java versions available in December 2021:</p>
	35	<ul>
	36	<li>java.util.HashMap</li>
	37	<li>java.util.HashSet</li>
	38	<li>java.util.Hashtable</li>
	39	<li>java.util.LinkedHashMap</li>
	40	<li>java.util.LinkedHashSet</li>
	41	<li>java.util.Stack (older Java revisions only)</li>
	42	<li>java.util.Vector (older Java revisions only)</li>
	43	<li>Other third party collection implementations that use their element's hash code may also be affected</li>
	44	</ul>
	45	<p>Create a simple HashSet and use XStream to marshal it to XML. Replace the XML with following snippet, increase the
	46	depth of the structure and unmarshal it with XStream:</p>
	47	<div class="Source XML"><pre><set>
	48	<set>
	49	<string>a</string>
	50	<set>
	51	<string>a</string>
	52	<set>
	53	<string>a</string>
	54	</set>
	55	<set>
	56	<string>b</string>
	57	</set>
	58	</set>
	59	<set>
	60	<set reference="../../set/set"/>
	61	<string>b</string>
	62	<set reference="../../set/set[2]"/>
	63	</set>
	64	</set>
	65	<set>
	66	<set reference="../../set/set"/>
	67	<string>b</string>
	68	<set reference="../../set/set[2]"/>
	69	</set>
	70	</set>
	71	</pre></div>
	72	<div class="Source Java"><pre>XStream xstream = new XStream();
	73	xstream.fromXML(xml);
	74	</pre></div>
	75	<p>Create a simple HashMap and use XStream to marshal it to XML. Replace the XML with following snippet, increase the
	76	depth of the structure and unmarshal it with XStream:</p>
	77	<div class="Source XML"><pre><map>
	78	<entry>
	79	<map>
	80	<entry>
	81	<string>a</string>
	82	<string>b</string>
	83	</entry>
	84	<entry>
	85	<map>
	86	<entry>
	87	<string>a</string>
	88	<string>b</string>
	89	</entry>
	90	<entry>
	91	<map>
	92	<entry>
	93	<string>a</string>
	94	<string>b</string>
	95	</entry>
	96	</map>
	97	<map>
	98	<entry>
	99	<string>c</string>
	100	<string>d</string>
	101	</entry>
	102	</map>
	103	</entry>
	104	<entry>
	105	<map reference="../../entry[2]/map[2]"/>
	106	<map reference="../../entry[2]/map"/>
	107	</entry>
	108	</map>
	109	<map>
	110	<entry>
	111	<string>c</string>
	112	<string>d</string>
	113	</entry>
	114	<entry>
	115	<map reference="../../../entry[2]/map"/>
	116	<map reference="../../../entry[2]/map[2]"/>
	117	</entry>
	118	<entry>
	119	<map reference="../../../entry[2]/map[2]"/>
	120	<map reference="../../../entry[2]/map"/>
	121	</entry>
	122	</map>
	123	</entry>
	124	<entry>
	125	<map reference="../../entry[2]/map[2]"/>
	126	<map reference="../../entry[2]/map"/>
	127	</entry>
	128	</map>
	129	<map>
	130	<entry>
	131	<string>c</string>
	132	<string>d</string>
	133	</entry>
	134	<entry>
	135	<map reference="../../../entry[2]/map"/>
	136	<map reference="../../../entry[2]/map[2]"/>
	137	</entry>
	138	<entry>
	139	<map reference="../../../entry[2]/map[2]"/>
	140	<map reference="../../../entry[2]/map"/>
	141	</entry>
	142	</map>
	143	</entry>
	144	<entry>
	145	<map reference="../../entry[2]/map[2]"/>
	146	<map reference="../../entry[2]/map"/>
	147	</entry>
	148	</map>
	149	</pre></div>
	150	<div class="Source Java"><pre>XStream xstream = new XStream();
	151	xstream.fromXML(xml);
	152	</pre></div>
	153
	154	<p>As soon as the XML is unmarshalled, the hash codes of the elements are calculated and the calculation time increases
	155	exponentially due to the highly recursive structure.</p>
	156
	157	<p>Note, this example uses XML, but the attack can be performed for any supported format, that supports references, i.e.
	158	JSON is not affected.</p>
	159
	160	<h2 id="impact">Impact</h2>
	161
	162	<p>The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU
	163	type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed
	164	input stream.</p>
	165
	166	<h2 id="workarounds">Workarounds</h2>
	167
	168	<p>If your object graph does not use referenced elements at all, you may simply set the NO_REFERENCE mode:</p>
	169
	170	<div class="Source Java"><pre>XStream xstream = new XStream();
	171	xstream.setMode(XStream.NO_REFERENCES);
	172	</pre></div>
	173
	174	<p>If your object graph contains neither a Hashtable, HashMap nor a HashSet (or one of the linked variants of it) then you
	175	can use the security framework to deny the usage of these types:</p>
	176
	177	<div class="Source Java"><pre>XStream xstream = new XStream();
	178	xstream.denyTypes(new Class[]{
	179	java.util.HashMap.class, java.util.HashSet.class, java.util.Hashtable.class, java.util.LinkedHashMap.class, java.util.LinkedHashSet.class
	180	});
	181	</pre></div>
	182
	183	<p>Unfortunately these types are very common. If you only use HashMap or HashSet and your XML refers these only as default
	184	map or set, you may additionally change the default implementation of java.util.Map and java.util.Set at unmarshalling time:</p>
	185
	186	<div class="Source Java"><pre>xstream.addDefaultImplementation(java.util.TreeMap.class, java.util.Map.class);
	187	xstream.addDefaultImplementation(java.util.TreeSet.class, java.util.Set.class);
	188	</pre></div>
	189
	190	<p>However, this implies that your application does not care about the implementation of the map and all elements are comparable.</p>
	191
	192	<h2 id="credits">Credits</h2>
	193
	194	<p>r00t4dm at Cloud-Penetrating Arrow Lab found and reported the issue to XStream and provided the required information to
	195	reproduce it.</p>
	196
	197	</body>
	198	</html>

+63

-63

xstream-distribution/src/content/benchmarks.html less more

0	0	<html>
1	1	<!--
2		Copyright (C) 2015, 2016, 2017, 2018, 2020, 2021 XStream committers.
	2	Copyright (C) 2015, 2016, 2017, 2018, 2020, 2021, 2022 XStream committers.
3	3	All rights reserved.
4	4
5	5	The software in this package is published under the terms of the BSD

32	32
33	33	<p>All benchmark values below measure the average throughput in nanosecond per operation. JMH provides additional
34	34	measurement options, see online help. The maximum deviation for each benchmark is recorded in the reference files of the
35		distributed ZIP file. The benchmark is executed on Linux 5.4.48 Gentoo 64-bit system with an Intel Core i7 CPU 920 of 2.67
36		GHz using OpenJDK 11.0.8. Note again, that these values are no replacement for real profiler results and they may vary
	35	distributed ZIP file. The benchmark is executed on Linux 5.15.11 Gentoo 64-bit system with an Intel Core i7 CPU 920 of 2.67
	36	GHz using OpenJDK 11.0.13. Note again, that these values are no replacement for real profiler results and they may vary
37	37	from run to run (see reference files) due to this machine's background processes. However, it can give you some idea of
38	38	what you can expect using different parser technologies.</p>
39	39

50	50	<th>Nested</th>
51	51	</tr>
52	52	<tr>
53		<th>W3C DOM (Open JDK 11.0.8)</th>
54		<td>10568442.558</td>
55		<td>59894584.643</td>
56		<td>5382390.375</td>
	53	<th>W3C DOM (Open JDK 11.0.13)</th>
	54	<td>10553104.053</td>
	55	<td>58632015.971</td>
	56	<td>5321471.291</td>
57	57	</tr>
58	58	<tr>
59	59	<th>JDOM (1.1.3)</th>
60		<td>6379300.940</td>
61		<td>6887733.303</td>
62		<td>13598531.633</td>
	60	<td>6347929.561</td>
	61	<td>7102275.757</td>
	62	<td>16861677.394</td>
63	63	</tr>
64	64	<tr>
65	65	<th>JDOM 2 (2.0.5)</th>
66		<td>5929805.928</td>
67		<td>9876176.832</td>
68		<td>12503949.903</td>
	66	<td>5843003.401</td>
	67	<td>9827411.961</td>
	68	<td>12085612.224</td>
69	69	</tr>
70	70	<tr>
71	71	<th>DOM4J (1.6.1)</th>
72		<td>8543670.534</td>
73		<td>79125701.566</td>
74		<td>5372787.809</td>
	72	<td>8344385.552</td>
	73	<td>78757514.580</td>
	74	<td>5711026.345</td>
75	75	</tr>
76	76	<tr>
77	77	<th>XOM (1.1)</th>
78		<td>7968868.873</td>
79		<td>34141742.595</td>
80		<td>5425911.128</td>
	78	<td>7986743.807</td>
	79	<td>33930673.083</td>
	80	<td>5788240.908</td>
81	81	</tr>
82	82	<tr>
83	83	<th>StAX (BEA 1.2.0)</th>
84		<td>3182516.188</td>
85		<td>667706.032</td>
86		<td>603986.803</td>
	84	<td>3229409.245</td>
	85	<td>713536.588</td>
	86	<td>648266.777</td>
87	87	</tr>
88	88	<tr>
89	89	<th>StAX (Woodstox 3.2.7)</th>
90		<td>1959085.951</td>
91		<td>630843.461</td>
92		<td>835465.393</td>
93		</tr>
94		<tr>
95		<th>StAX (Open JDK 11.0.8)</th>
96		<td>8450930.541</td>
97		<td>885917.070</td>
98		<td>868883.676</td>
99		</tr>
100		<tr>
101		<th>XPP (MXParser 1.2.1)</th>
102		<td>2131602.489</td>
103		<td>814691.675</td>
104		<td>13287597.794</td>
	90	<td>2048393.986</td>
	91	<td>592419.675</td>
	92	<td>725660.904</td>
	93	</tr>
	94	<tr>
	95	<th>StAX (Open JDK 11.0.13)</th>
	96	<td>8377577.926</td>
	97	<td>700802.493</td>
	98	<td>1074253.465</td>
	99	</tr>
	100	<tr>
	101	<th>XPP (MXParser 1.2.2)</th>
	102	<td>2090782.658</td>
	103	<td>687905.727</td>
	104	<td>12616894.304</td>
105	105	</tr>
106	106	<tr>
107	107	<th>XPP (Xpp3 min 1.1.4c)</th>
108		<td>2084284.951</td>
109		<td>754593.348</td>
110		<td>13056389.184</td>
	108	<td>2112720.726</td>
	109	<td>701583.341</td>
	110	<td>13007586.291</td>
111	111	</tr>
112	112	<tr>
113	113	<th>XPP (kXML2 min 2.3.0)</th>
114		<td>3561706.234</td>
115		<td>855787.083</td>
116		<td>36819091.742</td>
	114	<td>3524809.724</td>
	115	<td>902275.516</td>
	116	<td>35970087.264</td>
117	117	</tr>
118	118	<tr>
119	119	<th>Binary (XStream 1.4.16)</th>
120		<td>1065228.134</td>
121		<td>405493.660</td>
122		<td>284620.649</td>
	120	<td>1111084.176</td>
	121	<td>402398.155</td>
	122	<td>315810.980</td>
123	123	</tr>
124	124	<tr>
125	125	<th>Jettison (1.2)</th>
126		<td>3682704.689</td>
127		<td>601803.834</td>
128		<td>678187.271</td>
	126	<td>3617569.912</td>
	127	<td>670870.406</td>
	128	<td>735876.170</td>
129	129	</tr>
130	130	</table>
131	131

151	151	</tr>
152	152	<tr>
153	153	<th>Custom</th>
154		<td>9324531.713</td>
	154	<td>9666231.183</td>
155	155	</tr>
156	156	<tr>
157	157	<th>Java Bean</th>
158		<td>19658157.449</td>
	158	<td>18907234.350</td>
159	159	</tr>
160	160	<tr>
161	161	<th>Reflection</th>
162		<td>20859870.075</td>
	162	<td>20777749.230</td>
163	163	</tr>
164	164	</table>
165	165

185	185	</tr>
186	186	<tr>
187	187	<th>No Cache</th>
188		<td>9796296.611</td>
	188	<td>11982049.168</td>
189	189	</tr>
190	190	<tr>
191	191	<th>Intern</th>
192		<td>14262839.973</td>
	192	<td>15280597.717</td>
193	193	</tr>
194	194	<tr>
195	195	<th>ConcurrentMap (length limit)</th>
196		<td>10538757.220</td>
	196	<td>10812523.401</td>
197	197	</tr>
198	198	<tr>
199	199	<th>ConcurrentMap (unlimited)</th>
200		<td>11252298.498</td>
	200	<td>12196204.773</td>
201	201	</tr>
202	202	<tr>
203	203	<th>Sync'd WeakCache (length limit)</th>
204		<td>11298773.753</td>
	204	<td>11476639.041</td>
205	205	</tr>
206	206	<tr>
207	207	<th>Sync'd WeakCache (unlimited)</th>
208		<td>11279714.685</td>
	208	<td>11346761.846</td>
209	209	</tr>
210	210	</table>
211	211

246	246	</tr>
247	247	<tr>
248	248	<th>No Coding</th>
249		<td>3917564.563</td>
	249	<td>4212316.966</td>
250	250	</tr>
251	251	<tr>
252	252	<th>Dollar Coding</th>
253		<td>4570684.356</td>
	253	<td>4843325.489</td>
254	254	</tr>
255	255	<tr>
256	256	<th>Escaped Underscore Coding</th>
257		<td>6322642.927</td>
	257	<td>6496347.261</td>
258	258	</tr>
259	259	<tr>
260	260	<th>Cached Escaped Underscore Coding</th>
261		<td>4339193.305</td>
	261	<td>4708590.172</td>
262	262	</tr>
263	263	<tr>
264	264	<th>XML Friendly Coding</th>
265		<td>5102368.550</td>
	265	<td>5122809.546</td>
266	266	</tr>
267	267	</table>
268	268

+22

-3

xstream-distribution/src/content/changes.html less more

0	0	<html>
1	1	<!--
2	2	Copyright (C) 2005, 2006 Joe Walnes.
3		Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 XStream committers.
	3	Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022 XStream committers.
4	4	All rights reserved.
5	5
6	6	The software in this package is published under the terms of the BSD

14	14	</head>
15	15	<body>
16	16
17		<p>Changes are split into three categories:</p>
	17	<p>Changes are split into following categories:</p>
18	18
19	19	<ul>
20	20	<li><b>Major changes</b>: The major new features that all users should know about.</li>
21	21	<li><b>Minor changes</b>: Any smaller changes, including bugfixes.</li>
	22	<li><b>Stream Compatibility</b>: Changes affecting the persisted data.</li>
22	23	<li><b>API changes</b>: Any changes to the API that could impact existing users.</li>
23	24	</ul>
24	25

32	33
33	34	<p>Not yet released.</p>
34	35	-->
	36
	37	<h1 id="1.4.19">1.4.19</h1>
	38
	39	<p>Released January 29, 2022.</p>
	40
	41	<p class="highlight">This maintenance release addresses the security vulnerability
	42	<a href="CVE-2021-43859.html">CVE-2021-43859</a>, when unmarshalling highly recursive collections or maps causing a
	43	Denial of Service.</p>
	44
	45	<h2>API changes</h2>
	46
	47	<ul>
	48	<li>Added c.t.x.XStream.COLLECTION_UPDATE_LIMIT and c.t.x.XStream.COLLECTION_UPDATE_SECONDS.</li>
	49	<li>Added c.t.x.XStream.setCollectionUpdateLimit(int).</li>
	50	<li>Added c.t.x.core.SecurityUtils.</li>
	51	<li>Added c.t.x.security.AbstractSecurityException and c.t.x.security.InputManipulationException.</li>
	52	<li>c.t.x.security.InputManipulationException derives now from c.t.x.security.AbstractSecurityException.</li>
	53	</ul>
35	54
36	55	<h1 id="1.4.18">1.4.18</h1>
37	56

62	81
63	82	<ul>
64	83	<li>GHI:#233: Support serializable types with non-serializable parent with PureJavaReflectionConverter.</li>
65		</ul>
	84	</ul>
66	85
67	86	<h2>Stream compatibility</h2>
68	87

+8

-8

xstream-distribution/src/content/download.html less more

0	0	<html>
1	1	<!--
2	2	Copyright (C) 2005, 2006 Joe Walnes.
3		Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2015, 2016, 2017, 2018, 2020, 2021 XStream committers.
	3	Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2015, 2016, 2017, 2018, 2020, 2021, 2022 XStream committers.
4	4	All rights reserved.
5	5
6	6	The software in this package is published under the terms of the BSD

17	17
18	18	<p><a href="versioning.html">About XStream version numbers...</a></p>
19	19
20		<h1 id="stable">Stable Version: <span class="version">1.4.18</span></h1>
	20	<h1 id="stable">Stable Version: <span class="version">1.4.19</span></h1>
21	21
22	22	<ul>
23		<li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/1.4.18/xstream-distribution-1.4.18-bin.zip">Binary distribution:</a></b>
	23	<li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/1.4.19/xstream-distribution-1.4.19-bin.zip">Binary distribution:</a></b>
24	24	Contains the XStream jar files, the Hibernate and Benchmark modules and all the dependencies.</li>
25		<li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/1.4.18/xstream-distribution-1.4.18-src.zip">Source distribution:</a></b>
	25	<li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/1.4.19/xstream-distribution-1.4.19-src.zip">Source distribution:</a></b>
26	26	Contains the complete XStream project as if checked out from the Subversion version tag.</li>
27		<li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream/1.4.18/xstream-1.4.18.jar">XStream Core only:</a>
	27	<li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream/1.4.19/xstream-1.4.19.jar">XStream Core only:</a>
28	28	The xstream.jar only as it is downloaded automatically when it is referenced as Maven dependency.</b></li>
29		<li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-hibernate/1.4.18/xstream-hibernate-1.4.18.jar">XStream Hibernate module:</a></b>
	29	<li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-hibernate/1.4.19/xstream-hibernate-1.4.19.jar">XStream Hibernate module:</a></b>
30	30	The xstream-hibernate.jar as it is downloaded automatically when it is referenced as Maven dependency.</li>
31		<li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-jmh/1.4.18/xstream-jmh-1.4.18-app.zip">XStream JMH module:</a></b>
	31	<li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-jmh/1.4.19/xstream-jmh-1.4.19-app.zip">XStream JMH module:</a></b>
32	32	The xstream-jmh-app.zip as standalone application with start scripts and all required libraries.</li>
33	33	</ul>
34	34

40	40	<div class="Source XML"><pre><dependency>
41	41	<groupId>com.thoughtworks.xstream</groupId>
42	42	<artifactId>xstream</artifactId>
43		<version>1.4.18</version>
	43	<version>1.4.19</version>
44	44	</dependency></pre></div>
45	45
46	46	<h1 id="previous-releases">Previous Releases</h1>

+14

-5

xstream-distribution/src/content/faq.html less more

0	0	<html>
1	1	<!--
2	2	Copyright (C) 2005, 2006 Joe Walnes.
3		Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 XStream committers.
	3	Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2022 XStream committers.
4	4	All rights reserved.
5	5
6	6	The software in this package is published under the terms of the BSD

71	71	starting with R25.1.0. Generally it works for all modern Java runtimes based on OpenJDK. Android basically supports
72	72	the enhanced mode as well as the Google Application Engine, but the latter's security model limits the types that
73	73	can be handled. Note, that an active SecurityManager might prevent the usage of the enhanced mode also.</p>
74		<p>Since Java 9 it is required to permit the now illegal access.</p>
	74	<p>Since Java 9 it is required to permit the now illegal access. For Java 17 see below.</p>
75	75
76	76	<!-- ...................................................... -->
77	77	<h2 id="Compatibility_enhanced_mode_advantage">What are the advantages of using enhanced mode over pure Java mode?</h2>
78	78
79		<p>Currently it is not possible to recreate every instance of a type using the official Java API only. The enhanced mode uses some undocumented, but wide-spread
80		available functionality to recreate such instances nevertheless. However, in a secured secured environment, older Java run times or a limited Java environment might
81		prevent the usage of the enhanced mode and XStream uses the plain Java API as fallback. This mode has some restrictions though:</p>
	79	<p>Currently it is not possible to recreate every instance of a type using the official Java API only. The enhanced
	80	mode uses some undocumented, but wide-spread available functionality to recreate such instances nevertheless. However,
	81	in a secured secured environment, older Java run times or a limited Java environment might prevent the usage of the
	82	enhanced mode and XStream uses the plain Java API as fallback. This mode has some restrictions though:</p>
82	83
83	84	<table summary="Comparison of pure Java and enhanced mode">
84	85	<tr><th>Feature</th><th>Pure Java</th><th>Enhanced Mode</th></tr>

98	99
99	100	<p>Yes, this is normal. A big part of XStream is reflection based and there is currently no replacement for the
100	101	complete required functionality. You will have to permit this access currently, otherwise XStream will not work.</p>
	102
	103	<!-- ...................................................... -->
	104	<h2 id="Compatibility_cannot_access_from_unnamed_module">XStream fails since Java 17, because types in modules cannot be accessed from the unnamed module!</h2>
	105
	106	<p>Again, this is normal. The reflection stuff is required to get all required information to recreate an instance of
	107	a Java type at unmarshalling time. However, since Java 17 it is no longer possible to allow this access with a single
	108	runtime option. You have to open all packages of the individual modules for the unnamed module with the option
	109	<i>--add-opens</i>, where XStream requires access, e.g. <i>--add-opens java.base/java.util=ALL-UNNAMED</i></p>
101	110
102	111	<!-- ...................................................... -->
103	112	<h2 id="Compatibility_no_module">Why does XStream not even declare an automated module name?</h2>

+5

-18

xstream-distribution/src/content/index.html less more

0	0	<html>
1	1	<!--
2	2	Copyright (C) 2005, 2006 Joe Walnes.
3		Copyright (C) 2006, 2007, 2008, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020, 2021 XStream committers.
	3	Copyright (C) 2006, 2007, 2008, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020, 2021, 2022 XStream committers.
4	4	All rights reserved.
5	5
6	6	The software in this package is published under the terms of the BSD

72	72
73	73	<h1 id="news">Latest News</h1>
74	74
75		<h2 id="release"><b>August 22, 2021</b> XStream 1.4.18 released</h2>
	75	<h2 id="1.4.19"><b>January 29, 2022</b> XStream 1.4.19 released</h2>
76	76
77		<p class="highlight">This maintenance release addresses the security vulnerabilities
78		<a href="CVE-2021-39139.html">CVE-2021-39139</a>,
79		<a href="CVE-2021-39140.html">CVE-2021-39140</a>,
80		<a href="CVE-2021-39141.html">CVE-2021-39141</a>,
81		<a href="CVE-2021-39144.html">CVE-2021-39144</a>,
82		<a href="CVE-2021-39145.html">CVE-2021-39145</a>,
83		<a href="CVE-2021-39146.html">CVE-2021-39146</a>,
84		<a href="CVE-2021-39147.html">CVE-2021-39147</a>,
85		<a href="CVE-2021-39148.html">CVE-2021-39148</a>,
86		<a href="CVE-2021-39149.html">CVE-2021-39149</a>,
87		<a href="CVE-2021-39150.html">CVE-2021-39150</a>,
88		<a href="CVE-2021-39151.html">CVE-2021-39151</a>,
89		<a href="CVE-2021-39152.html">CVE-2021-39152</a>,
90		<a href="CVE-2021-39153.html">CVE-2021-39153</a>, and
91		<a href="CVE-2021-39154.html">CVE-2021-39154</a>, when unmarshalling with an XStream instance using the default
92		blacklist of an uninitialized security framework. XStream is therefore now using a whitelist by default.</p>
	77	<p class="highlight">This maintenance release addresses the security vulnerability
	78	<a href="CVE-2021-43859.html">CVE-2021-43859</a>, when unmarshalling highly recursive collections or maps causing a
	79	Denial of Service.</p>
93	80
94	81	<p>View the complete <a href="changes.html">change log</a> and <a href="download.html">download</a>.</p>
95	82

+11

-1

xstream-distribution/src/content/news.html less more

0	0	<html>
1	1	<!--
2	2	Copyright (C) 2005, 2006 Joe Walnes.
3		Copyright (C) 2006, 2007, 2008, 2009, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020, 2021 XStream committers.
	3	Copyright (C) 2006, 2007, 2008, 2009, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020, 2021, 2022 XStream committers.
4	4	All rights reserved.
5	5
6	6	The software in this package is published under the terms of the BSD

14	14	</head>
15	15
16	16	<body>
	17
	18	<h2 id="1.4.19"><b>January 29, 2022</b> XStream 1.4.19 released</h2>
	19
	20	<p class="highlight">This maintenance release addresses the security vulnerability
	21	<a href="CVE-2021-43859.html">CVE-2021-43859</a>, when unmarshalling highly recursive collections or maps causing a
	22	Denial of Service.</p>
	23
	24	<p>View the complete <a href="changes.html">change log</a> and <a href="download.html">download</a>.</p>
	25
	26	<p>Note, the next major release 1.5 will require Java 8.</p>
17	27
18	28	<h2 id="1.4.18"><b>August 22, 2021</b> XStream 1.4.18 released</h2>
19	29

+82

-26

xstream-distribution/src/content/security.html less more

29	29	context of the server running the XStream process or cause a denial of service by crashing the application or
30	30	manage to enter an endless loop consuming 100% of CPU cycles.</p>
31	31
32		<p class=highlight>Note: XStream supports other data formats than XML, e.g. JSON. Those formats can be used for
33		the same attacks.</p>
	32	<p class=highlight>Note: XStream supports other data formats than XML, e.g. JSON. Those formats can usually be used
	33	for the same attacks.</p>
34	34
35		<p>Note, that the XML data can be manipulated on different levels. For example, manipulating values on existing
36		objects (such as a price value), accessing private data, or breaking the format and causing the XML parser to fail.
37		The latter case will raise an exception, but the former case must be handled by validity checks in any application
38		which processes user-supplied XML.</p>
	35	<p>The XML data can be manipulated on different levels. For example, manipulating values on existing objects (such
	36	as a price value), accessing private data, or breaking the format and causing the XML parser to fail. The latter
	37	case will raise an exception, but the former case must be handled by validity checks in any application which
	38	processes user-supplied XML.</p>
39	39
40	40	<h2 id="CVEs">Documented Vulnerabilities</h2>
41	41

47	47	<tr>
48	48	<th>CVE</th>
49	49	<th>Description</th>
	50	</tr>
	51	<tr>
	52	<th>Version 1.4.18</th>
	53	<td></td>
	54	</tr>
	55	<tr>
	56	<th><a href="CVE-2021-43859.html">CVE-2021-43859</a></th>
	57	<td>XStream can cause a Denial of Service by injecting highly recursive collections or maps.</td>
50	58	</tr>
51	59	<tr>
52	60	<th>Version 1.4.17</th>

256	264	<p class="hightlight">A blacklist for special classes only creates therefore a scenario for a false security,
257	265	because no-one can assure, that no other vulnerability is found. A better approach is the usage of a whitelist
258	266	i.e. the allowed class types are setup explicitly. This is the default for XStream 1.4.18 (see below).</p>
	267
	268	<p>XStream supports references to objects already occuring on the object graph in an earlier location. This allows
	269	an attacker to create a highly recursive object structure. Some collections or maps calculate the position of a
	270	member based on the data of the member itself. This is true for sorting collections or maps, but also for
	271	collections or maps based on the hash code of the individual members. The calculation time for the member's
	272	position can increase exponentially depending on the recursive depth of the structure and cause therefore a Denial
	273	of Service. Therefore XStream measures the time consumed to add an element to a collection or map since version
	274	1.4.19. Normally this operation is performed in a view milliseconds, but if adding elements take longer than a
	275	second, then the time is accumulated and an exception is thrown if it exceeds a definable limit (20 seconds by
	276	default).</p>
259	277
260	278	<h2 id="explicit">Explicit Security</h2>
261	279

284	302	<p class=highlight>Apart from value manipulations, this implementation still allows the injection of allowed
285	303	objects at wrong locations, e.g. inserting an integer into a list of strings.</p>
286	304
	305	<p>To avoid an attack based on the position of an element in a collection or map, you should also use XStream's
	306	default converters for 3rd party or own implementations of collections or maps. Own custom converters of such
	307	types should measure the time to add an element at deserialization time using the following sequence in the
	308	implementation of the unmarshal method:<div class="Source Java">
	309	<pre>// unmarshal element of collection
	310	long now = System.currentTimeMillis();
	311	// add element here, e.g. list.add(element);
	312	SecurityUtils.checkForCollectionDoSAttack(context, now);
	313	</pre></div></p>
	314
287	315	<h2 id="validation">XML Validation</h2>
288	316
289	317	<p>XML itself supports input validation using a schema and a validating parser. With XStream, you can use e.g. a

338	366	<p>XStream provides some TypePermission implementations to allow any or no type at all, to allow primitive types
339	367	and their counterpart, null, array types, implementations match the name of the type by regular or wildcard
340	368	expression and one to invert a permission.</p>
	369
	370	<p class="highlight">Note: The examples below are <strong>examples</strong>. Some will or might enable types that
	371	are target of a security issue from above and are highlighted as dangerous.</p>
341	372
342	373	<table class="examplesTable" summary="Overview over all type permissions delivered with XStream">
343	374	<!-- .................................................................................................. -->
344	375	<tr>
345	376	<th>Permission</th>
346	377	<th>Description</th>
347		<th>Example</th>
	378	<th width="33%">Example</th>
	379	<th width="33%">Default</th>
348	380	</tr>
349	381	<tr>
350	382	<td><a href="javadoc/com/thoughtworks/xstream/security/AnyTypePermission.html">AnyTypePermission</a></td>
351	383	<td><b>Start a blacklist</b> and allow any type. A registration of this permission will wipe any prior one.
352	384	You may use the ANY instance directly. Note, that it is now in the responsibility of the developer to deny any
353	385	type that might be used for arbitrary code execution as described in the CVEs above.</td>
354		<td>addPermission(<i>AnyTypePermission.ANY</i>);</td>
	386	<td class="example danger">addPermission(<i>AnyTypePermission.ANY</i>);</td>
	387	<td>no</td>
355	388	</tr>
356	389	<tr>
357	390	<td><a href="javadoc/com/thoughtworks/xstream/security/ArrayTypePermission.html">ArrayTypePermission</a></td>
358	391	<td>Allow any array type. You may use the ARRAYS instance directly.</td>
359		<td>addPermission(<i>ArrayTypePermission.ARRAYS</i>);</td>
	392	<td class="example">addPermission(<i>ArrayTypePermission.ARRAYS</i>);</td>
	393	<td>yes</td>
360	394	</tr>
361	395	<tr>
362	396	<td><a href="javadoc/com/thoughtworks/xstream/security/CGLIBProxyTypePermission.html">CGLIBProxyTypePermission</a></td>
363	397	<td>Allow any CGLIB proxy type. You may use the PROXIES instance directly.</td>
364		<td>addPermission(<i>CGLIBProxyTypePermission.PROXIES</i>);</td>
	398	<td class="example danger">addPermission(<i>CGLIBProxyTypePermission.PROXIES</i>);</td>
	399	<td>no</td>
365	400	</tr>
366	401	<tr>
367	402	<td><a href="javadoc/com/thoughtworks/xstream/security/ExplicitTypePermission.html">ExplicitTypePermission</a></td>
368	403	<td>Allow types explicitly by name.</td>
369		<td>allowTypes(new String[] {"<i>java.io.File</i>", "<i>java.lang.ProcessBuilder</i>"});<br/>
	404	<td class="example danger">allowTypes(new String[] {"<i>java.io.File</i>", "<i>java.lang.ProcessBuilder</i>"});<br/>
370	405	allowTypes(new Class[] {<i>java.io.File.class</i>, <i>java.lang.ProcessBuilder.class</i>});</td>
	406	<td>java.io.File, java.nio.charset.Charset, java.util.BitSet, java.lang.Class, java.lang.Object,
	407	java.lang.StackTraceElement, java.lang.String, java.lang.StringBuffer, java.lang.StringBuilder, java.net.URI,
	408	java.net.URL, java.sql.Date, java.sql.Time, java.sql.Timestamp, java.text.DecimalFormatSymbols,
	409	java.time.Duration, java.time.Instant, java.time.LocalDate, java.time.LocalDateTime, java.time.LocalTime,
	410	java.time.MonthDay, java.time.OffsetDateTime, java.time.OffsetTime, java.time.Period, java.time.Ser,
	411	java.time.Year, java.time.YearMonth, java.time.ZonedDateTime, java.time.chrono.HijrahDate,
	412	java.time.chrono.JapaneseDate, java.time.chrono.JapaneseEra, java.time.chrono.MinguoDate, java.time.chrono.Ser,
	413	java.time.chrono.ThaiBuddhistDate, java.time.temporal.ValueRange, java.time.temporal.WeekFields,
	414	java.util.Currency, java.util.Date, java.util.Locale, java.util.regex.Pattern, java.util.UUID</td>
371	415	</tr>
372	416	<tr>
373	417	<td><a href="javadoc/com/thoughtworks/xstream/security/InterfaceTypePermission.html">InterfaceTypePermission</a></td>
374	418	<td>Allow any interface type. You may use the INTERFACES instance directly.</td>
375		<td>addPermission(<i>InterfaceTypePermission.INTERFACES</i>);</td>
	419	<td class="example">addPermission(<i>InterfaceTypePermission.INTERFACES</i>);</td>
	420	<td>yes</td>
376	421	</tr>
377	422	<tr>
378	423	<td><a href="javadoc/com/thoughtworks/xstream/security/NoPermission.html">NoPermission</a></td>
379	424	<td>Invert any other permission. Instances of this type are used by XStream in the deny methods wrapping a permission.</td>
380		<td>denyPermission(<i>permissionInstance</i>);</td>
	425	<td class="example">denyPermission(<i>permissionInstance</i>);</td>
	426	<td>no</td>
381	427	</tr>
382	428	<tr>
383	429	<td><a href="javadoc/com/thoughtworks/xstream/security/NoTypePermission.html">NoTypePermission</a></td>
384	430	<td><b>Start a whitelist</b> and allow no type. A registration of this permission will wipe any prior one.
385	431	You may use the NONE instance directly.</td>
386		<td>addPermission(<i>NoTypePermission.NONE</i>);</td>
	432	<td class="example">addPermission(<i>NoTypePermission.NONE</i>);</td>
	433	<td>yes</td>
387	434	</tr>
388	435	<tr>
389	436	<td><a href="javadoc/com/thoughtworks/xstream/security/NullPermission.html">NullPermission</a></td>
390	437	<td>Allow null as type. You may use the NULL instance directly.</td>
391		<td>addPermission(<i>NullPermission.NULL</i>);</td>
	438	<td class="example">addPermission(<i>NullPermission.NULL</i>);</td>
	439	<td>yes</td>
392	440	</tr>
393	441	<tr>
394	442	<td><a href="javadoc/com/thoughtworks/xstream/security/PrimitiveTypePermission.html">PrimitiveTypePermission</a></td>
395	443	<td>Allow any primitive type and its boxed counterpart (excluding void). You may use the PRIMITIVES instance
396	444	directly.</td>
397		<td>addPermission(<i>PrimitiveTypePermission.PRIMITIVES</i>);</td>
	445	<td class="example">addPermission(<i>PrimitiveTypePermission.PRIMITIVES</i>);</td>
	446	<td>yes</td>
398	447	</tr>
399	448	<tr>
400	449	<td><a href="javadoc/com/thoughtworks/xstream/security/ProxyTypePermission.html">ProxyTypePermission</a></td>
401	450	<td>Allow any Java proxy type. You may use the PROXIES instance directly.</td>
402		<td>addPermission(<i>ProxyTypePermission.PROXIES</i>);</td>
	451	<td class="example">addPermission(<i>ProxyTypePermission.PROXIES</i>);</td>
	452	<td>no</td>
403	453	</tr>
404	454	<tr>
405	455	<td><a href="javadoc/com/thoughtworks/xstream/security/RegExpTypePermission.html">RegExpTypePermission</a></td>
406	456	<td>Allow any type that matches with its name a regular expression.</td>
407		<td class="example">allowTypeByRegExp(new String[]{"<i>.\\.core\\..</i>", "<i>[^$]+</i>"});<br/>
408		allowTypeByRegExp(new Pattern[]{Pattern.compile("<i>.\\.core\\..</i>"), Pattern.compile("<i>[^$]+</i>")});</td>
	457	<td class="example danger">allowTypesByRegExp(new String[]{"<i>.\\.core\\..</i>", "<i>[^$]+</i>"});<br/>
	458	allowTypesByRegExp(new Pattern[]{Pattern.compile("<i>.\\.core\\..</i>"), Pattern.compile("<i>[^$]+</i>")});</td>
	459	<td>–</td>
409	460	</tr>
410	461	<tr>
411	462	<td><a href="javadoc/com/thoughtworks/xstream/security/TypeHierarchyPermission.html">TypeHierarchyPermission</a></td>
412	463	<td>Allow types of a hierarchy.</td>
413		<td>allowTypeHierarchy(<i>java.lang.Throwable.class</i>);</td>
	464	<td class="example">allowTypeHierarchy(<i>java.lang.Throwable.class</i>);</td>
	465	<td>java.lang.Enum, java.lang.Number, java.lang.Throwable, java.lang.reflect.Member, java.nio.file.Path,
	466	java.time.Clock, java.time.ZoneId, java.time.chrono.Chronology, java.util.Calendar, java.util.Collection,
	467	java.util.Map, java.util.Map.Entry, java.util.TimeZone</td>
414	468	</tr>
415	469	<tr>
416	470	<td><a href="javadoc/com/thoughtworks/xstream/security/WildcardTypePermission.html">WildcardTypePermission</a></td>
417	471	<td>Allow any type that matches with its name a wildcard expression.</td>
418		<td>allowTypeByWildcard(new String[]{"<i>java.lang.</i>", "<i>java.util.*"</i>});</td>
	472	<td class="example danger">allowTypesByWildcard(new String[]{"<i>java.lang.</i>", "<i>java.util.*"</i>});</td>
	473	<td>–</td>
419	474	</tr>
420	475	</table>
421	476
422	477	<h2 id="example">Example Code Whitelist</h2>
423	478
424		<p>XStream uses the AnyTypePermission by default, i.e. any type is accepted. You have to clear out this default
425		and register your own permissions to activate the security framework (the Blog type is from the
	479	<p>XStream uses now the NoTypePermission by default with an internal whitelist. You can clear out this default
	480	and/or register your own permissions to adjust the security framework (the Blog type is from the
426	481	<a href="alias-tutorial.html">Alias Tutorial</a>):</p>
427	482	<div class="Source Java"><pre>XStream xstream = new XStream();
428	483	// clear out existing permissions and start a whitelist

447	502	<p>Users of XStream 1.4.17 who insist to use XStream default blacklist - despite that clear recommendation - can
448	503	add these lines to XStream's setup code:</p>
449	504	<div class="Source Java"><pre>xstream.denyTypesByWildcard(new String[]{ "sun.reflect.", "sun.tracing.", "com.sun.corba.**" });
450		xstream.denyTypesByRegExp(new String[]{ ".\\.ws\\.client\\.sei\\..", ".\\$ProxyLazyValue", "com\\.sun\\.jndi\\..Enumerat(?:ion\|tor),.*\\$URLData" });
	505	xstream.denyTypesByRegExp(new String[]{ ".\\.ws\\.client\\.sei\\..", ".\\$ProxyLazyValue", "com\\.sun\\.jndi\\..Enumerat(?:ion\|or)", ".\\$URLData", ".\\.xsltc\\.trax\\.TemplatesImpl" });
451	506	</pre></div>
452	507
453	508	<p>Users of XStream 1.4.16 should add these lines and <strong>additionally</strong> the lines for version 1.4.17:</p>

472	527	scratch:</p>
473	528	<div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", "com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator" });
474	529	xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });
475		xstream.denyTypesByRegExp(new String[]{ ".\\$ServiceNameIterator", "javafx\\.collections\\.ObservableList\\$.", ".\\.bcel\\..\\.util\\.ClassLoader", ".\\$GetterSetterReflection", ".\\$LazyIterator", ".\\$PrivilegedGetter", ".\\.ws\\.client\\.sei\\..", ".\\$ProxyLazyValue", "com\\.sun\\.jndi\\..Enumerat(?:ion\|tor)", ".\\$URLData" });
	530	".\\.xsltc\\.trax\\.TemplatesImpl"xstream.denyTypesByRegExp(new String[]{ ".\\$ServiceNameIterator", "javafx\\.collections\\.ObservableList\\$.", ".\\.bcel\\..\\.util\\.ClassLoader", ".\\$GetterSetterReflection", ".\\$LazyIterator", ".\\$PrivilegedGetter", ".\\.ws\\.client\\.sei\\..", ".\\$ProxyLazyValue", "com\\.sun\\.jndi\\..Enumerat(?:ion\|tor)", ".\\$URLData", ".\\.xsltc\\.trax\\.TemplatesImpl" });
476	531	xstream.denyTypesByWildcard(new String[]{ "sun.reflect.", "sun.tracing.", "com.sun.corba.**" });
477	532	xstream.denyTypeHierarchy(java.io.InputStream.class);
478	533	xstream.denyTypeHierarchy(java.nio.channels.Channel.class);

487	542	return type != null
488	543	&& (type == java.beans.EventHandler.class \|\| type == java.lang.ProcessBuilder.class \|\| type == java.lang.Void.class \|\| void.class
489	544	\|\| type.getName().equals("javax.imageio.ImageIO$ContainsFilter") \|\| type.getName().equals("sun.awt.datatransfer.DataTransferer$IndexOrderComparator") \|\| type.getName().equals("com.sun.corba.se.impl.activation.ServerTableEntry") \|\| type.getName().equals("com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator")
490		\|\| type.getName().matches("javafx\\.collections\\.ObservableList\\$.") \|\| type.getName().matches(".\\$ServiceNameIterator") \|\| type.getName().matches(".\\$GetterSetterReflection") \|\| type.getName().matches(".\\$LazyIterator") \|\| type.getName().matches(".\\$ProxyLazyValue") \|\| type.getName().matches(".\\.bcel\\..\\.util\\.ClassLoader") \|\| type.getName().matches(".\\.ws\\.client\\.sei\\..") \|\| type.getName().matches("com\\.sun\\.jndi\\..Enumerat(?:ion\|tor)") \|\| type.getName().matches(".*\\$URLData")
	545	\|\| type.getName().matches("javafx\\.collections\\.ObservableList\\$.") \|\| type.getName().matches(".\\$ServiceNameIterator") \|\| type.getName().matches(".\\$GetterSetterReflection") \|\| type.getName().matches(".\\$LazyIterator") \|\| type.getName().matches(".\\$ProxyLazyValue") \|\| type.getName().matches(".\\.bcel\\..\\.util\\.ClassLoader") \|\| type.getName().matches(".\\.ws\\.client\\.sei\\..") \|\| type.getName().matches("com\\.sun\\.jndi\\..Enumerat(?:ion\|or)")
	546	\|\| type.getName().endsWith(".$URLData") \|\| type.getName().endsWith(".xsltc.trax.TemplatesImpl")
491	547	\|\| type.getName().startsWith("sun.reflect.") \|\| type.getName().startsWith("sun.tracing.") \|\| type.getName().startsWith("com.sun.corba.")
492	548	\|\| java.io.InputStream.class.isAssignableFrom(type) \|\| java.nio.channels.Channel.isAssignableFrom(type) \|\| javax.activation.DataSource.isAssignableFrom(type) \|\|javax.sql.rowset.BaseRowSet.isAssignableFrom(type)
493	549	\|\| Proxy.isProxy(type));

+1

-0

xstream-distribution/src/content/website.xml less more

88	88	<page>CVE-2021-39152.html</page>
89	89	<page>CVE-2021-39153.html</page>
90	90	<page>CVE-2021-39154.html</page>
	91	<page>CVE-2021-43859.html</page>
91	92	<page>CVE-2020-26217.html</page>
92	93	<page>CVE-2020-26258.html</page>
93	94	<page>CVE-2020-26259.html</page>

+7

-2

xstream-distribution/src/resources/style.css less more

0	0	/*
1	1	Copyright (C) 2005, 2006 Joe Walnes.
2		Copyright (C) 2006, 2007 XStream committers.
	2	Copyright (C) 2006, 2007, 2021 XStream committers.
3	3	All rights reserved.
4	4
5	5	The software in this package is published under the terms of the BSD

245	245	padding: 0px;
246	246	border: 0px;
247	247	font-size: inherit;
248		line-spacing: 100%;
	248	line-height: 100%;
249	249	}
250	250
251	251	.highlight {
252	252	background-color: #e0f0e0;
253	253	border: 1px dotted #060;
254	254	padding: 5px;
	255	}
	256
	257	.danger {
	258	color: red;
	259	font-weight: bold;
255	260	}
256	261
257	262	/* The following are for images, but can also apply to div's containing images. */

+15

-6

xstream-hibernate/pom.xml less more

0	0	<?xml version="1.0"?><project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
1	1	<!--
2		Copyright (C) 2011, 2012, 2013, 2015, 2017 XStream committers.
	2	Copyright (C) 2011, 2012, 2013, 2015, 2017, 2022 XStream committers.
3	3	All rights reserved.
4	4
5	5	The software in this package is published under the terms of the BSD

12	12	<parent>
13	13	<groupId>com.thoughtworks.xstream</groupId>
14	14	<artifactId>xstream-parent</artifactId>
15		<version>1.4.18</version>
	15	<version>1.4.19</version>
16	16	</parent>
17	17	<artifactId>xstream-hibernate</artifactId>
18	18	<packaging>jar</packaging>

23	23
24	24	<profiles>
25	25	<profile>
26		<id>jdk19-ge</id>
	26	<id>jdk17-ge</id>
27	27	<activation>
28		<jdk>[9,)</jdk>
	28	<jdk>[17,)</jdk>
	29	</activation>
	30	<properties>
	31	<surefire.argline>--add-opens java.base/java.lang=ALL-UNNAMED</surefire.argline>
	32	</properties>
	33	</profile>
	34	<profile>
	35	<id>jdk9-ge-jdk16</id>
	36	<activation>
	37	<jdk>[9,17)</jdk>
29	38	</activation>
30	39	<properties>
31	40	<surefire.argline>--illegal-access=${surefire.illegal.access}</surefire.argline>
32	41	</properties>
33	42	</profile>
34	43	<profile>
35		<id>jdk18</id>
	44	<id>jdk8</id>
36	45	<activation>
37	46	<jdk>1.8</jdk>
38	47	</activation>

63	72	</reporting>
64	73	</profile>
65	74	<profile>
66		<id>jdk16-ge</id>
	75	<id>jdk6-ge</id>
67	76	<activation>
68	77	<jdk>[1.6,)</jdk>
69	78	</activation>

+2

-2

xstream-its/pom.xml less more

2	2	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
3	3	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
4	4	<!--
5		Copyright (C) 2019, 2020 XStream committers.
	5	Copyright (C) 2019, 2020, 2022 XStream committers.
6	6	All rights reserved.
7	7
8	8	The software in this package is published under the terms of the BSD

14	14	<parent>
15	15	<artifactId>xstream-parent</artifactId>
16	16	<groupId>com.thoughtworks.xstream</groupId>
17		<version>1.4.12-SNAPSHOT</version>
	17	<version>1.4.19-SNAPSHOT</version>
18	18	</parent>
19	19	<modelVersion>4.0.0</modelVersion>
20	20	<artifactId>xstream-its</artifactId>

+4

-4

xstream-jmh/pom.xml less more

0	0	<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
1	1	<!--
2		Copyright (C) 2015, 2017, 2020, 2021 XStream committers.
	2	Copyright (C) 2015, 2017, 2020, 2021, 2022 XStream committers.
3	3	All rights reserved.
4	4
5	5	The software in this package is published under the terms of the BSD

12	12	<parent>
13	13	<groupId>com.thoughtworks.xstream</groupId>
14	14	<artifactId>xstream-parent</artifactId>
15		<version>1.4.18</version>
	15	<version>1.4.19</version>
16	16	</parent>
17	17	<artifactId>xstream-jmh</artifactId>
18	18	<packaging>jar</packaging>

66	66	</build>
67	67	</profile>
68	68	<profile>
69		<id>jdk18</id>
	69	<id>jdk8</id>
70	70	<activation>
71	71	<jdk>1.8</jdk>
72	72	</activation>

97	97	</reporting>
98	98	</profile>
99	99	<profile>
100		<id>jdk17-le</id>
	100	<id>jdk7-le</id>
101	101	<activation>
102	102	<jdk>(,1.7]</jdk>
103	103	</activation>

+77

-71

xstream-jmh/src/application/bin/xstream-jmh.cmd less more

0		@echo off
1		@REM Copyright (C) 2015 XStream Committers.
2		@REM All rights reserved.
3		@REM
4		@REM The software in this package is published under the terms of the BSD
5		@REM style license a copy of which has been included with this distribution in
6		@REM the LICENSE.txt file.
7		@REM
8		@REM Created on 28. October 2015 by Joerg Schaible
9
10		@REM Run XStream JMH
11		if "%XSTREAM_SCRIPT_ECHO%"=="on" echo on
12
13		if "%OS%"=="Windows_NT" @setlocal
14		if "%OS%"=="WINNT" @setlocal
15
16		@REM * Set title
17		@REM ***********
18		title ScalarisDMS
19
20		@REM * Goto script root dir
21		@REM **********************
22		cd /d %~dp0\..
23
24		@REM * Initialize environment
25		@REM ************************
26		@REM JAVA_OPTS and APP_OPTS can be set from outside
27		set JAVA_BIN=
28		set APP_CP=
29
30		@REM * Set Java executable
31		@REM *********************
32		if not defined JAVA_EXE set JAVA_EXE=java.exe
33		if "%JAVA_BIN%" NEQ "" if exist %JAVA_BIN% goto SetClassPath
34		if defined JAVA_HOME if "%JAVA_HOME%" NEQ "" set JAVA_BIN=%JAVA_HOME%\bin\%JAVA_EXE%
35		if exist %JAVA_BIN% goto SetClassPath
36		if defined JDK_HOME if "%JDK_HOME%" NEQ "" set JAVA_BIN=%JDK_HOME%\jre\bin\%JAVA_EXE%
37		if exist %JAVA_BIN% goto SetClassPath
38		set JAVA_BIN=%JAVA_EXE%
39
40		:SetClassPath
41		@REM * Set class path
42		@REM ****************
43		for %%i in (lib\*.jar) do call :APP_CP_append %%i
44		call :APP_CP_append "config"
45
46		@REM * Set options
47		@REM *************
48		set JAVA_OPTS=%JAVA_OPTS% -Xmx2048m -Xss4m
49
50
51		@REM * Main class
52		@REM ************
53		set MAIN_CLASS=org.openjdk.jmh.Main
54
55		@REM * Run application
56		@REM *****************
57		%JAVA_BIN% %JAVA_OPTS% %APP_DEFINES% -cp %APP_CP% %MAIN_CLASS% %APP_OPTS% %*
58
59
60		if "%OS%"=="Windows_NT" @endlocal
61		goto :EOF
62
63
64		@REM ***************
65		@REM * Sub functions
66		@REM ***************
67
68		:APP_CP_append
69		set APP_CP=%APP_CP%;%1
70		goto :EOF
	0	@echo off
	1	@REM Copyright (C) 2015, 2022 XStream Committers.
	2	@REM All rights reserved.
	3	@REM
	4	@REM The software in this package is published under the terms of the BSD
	5	@REM style license a copy of which has been included with this distribution in
	6	@REM the LICENSE.txt file.
	7	@REM
	8	@REM Created on 28. October 2015 by Joerg Schaible
	9
	10	@REM Run XStream JMH
	11	if "%XSTREAM_SCRIPT_ECHO%"=="on" echo on
	12
	13	if "%OS%"=="Windows_NT" @setlocal
	14	if "%OS%"=="WINNT" @setlocal
	15
	16	@REM * Set title
	17	@REM ***********
	18	title ScalarisDMS
	19
	20	@REM * Goto script root dir
	21	@REM **********************
	22	cd /d %~dp0\..
	23
	24	@REM * Initialize environment
	25	@REM ************************
	26	@REM JAVA_OPTS and APP_OPTS can be set from outside
	27	set JAVA_BIN=
	28	set APP_CP=
	29
	30	@REM * Set Java executable
	31	@REM *********************
	32	if not defined JAVA_EXE set JAVA_EXE=java.exe
	33	if "%JAVA_BIN%" NEQ "" if exist %JAVA_BIN% goto SetClassPath
	34	if defined JAVA_HOME if "%JAVA_HOME%" NEQ "" set JAVA_BIN=%JAVA_HOME%\bin\%JAVA_EXE%
	35	if exist %JAVA_BIN% goto SetClassPath
	36	if defined JDK_HOME if "%JDK_HOME%" NEQ "" set JAVA_BIN=%JDK_HOME%\jre\bin\%JAVA_EXE%
	37	if exist %JAVA_BIN% goto SetClassPath
	38	set JAVA_BIN=%JAVA_EXE%
	39
	40	:SetClassPath
	41	@REM * Set class path
	42	@REM ****************
	43	for %%i in (lib\*.jar) do call :APP_CP_append %%i
	44	call :APP_CP_append "config"
	45
	46	@REM * Open modules for parsers using Java 17 or higher
	47	@REM *************
	48	for /F "tokens=2 usebackq" %%j in (`%JAVA_BIN% -cp "%APP_CP%" com.thoughtworks.xstream.core.JVM ^\| find "java.specification.version"`) DO SET JAVA_VERSION=%%j
	49	if %JAVA_VERSION% GEQ 17 set JAVA_OPTS=%JAVA_OPTS% --add-opens java.xml/com.sun.org.apache.xerces.internal.parsers=ALL-UNNAMED
	50	if %JAVA_VERSION% GEQ 17 set JAVA_OPTS=%JAVA_OPTS% --add-opens java.xml/com.sun.org.apache.xerces.internal.util=ALL-UNNAMED
	51	if %JAVA_VERSION% GEQ 17 set JAVA_OPTS=%JAVA_OPTS% --add-opens java.xml/com.sun.xml.internal.stream=ALL-UNNAMED
	52
	53	@REM * Set options
	54	@REM *************
	55	set JAVA_OPTS=%JAVA_OPTS% -Xmx2048m -Xss4m
	56
	57	@REM * Main class
	58	@REM ************
	59	set MAIN_CLASS=org.openjdk.jmh.Main
	60
	61	@REM * Run application
	62	@REM *****************
	63	%JAVA_BIN% %JAVA_OPTS% %APP_DEFINES% -cp %APP_CP% %MAIN_CLASS% %APP_OPTS% %*
	64
	65
	66	if "%OS%"=="Windows_NT" @endlocal
	67	goto :EOF
	68
	69
	70	@REM ***************
	71	@REM * Sub functions
	72	@REM ***************
	73
	74	:APP_CP_append
	75	set APP_CP=%APP_CP%;%1
	76	goto :EOF

+10

-1

xstream-jmh/src/application/bin/xstream-jmh.sh less more

0	0	#!/bin/sh
1		# Copyright (C) 2015 XStream Committers.
	1	# Copyright (C) 2015, 2022 XStream Committers.
2	2	# All rights reserved.
3	3	#
4	4	# The software in this package is published under the terms of the BSD

40	40	APP_CP=$APP_CP:$i
41	41	done
42	42
	43	# * Open modules for parsers using Java 17 or higher
	44	# *************
	45	JAVA_VERSION=`$JAVA_BIN -cp $APP_CP com.thoughtworks.xstream.core.JVM \| grep "java.specification.version" \| cut -d ' ' -f 2`
	46	if [[ $JAVA_VERSION -ge 17 ]]; then
	47	JAVA_OPTS="$JAVA_OPTS --add-opens java.xml/com.sun.org.apache.xerces.internal.parsers=ALL-UNNAMED"
	48	JAVA_OPTS="$JAVA_OPTS --add-opens java.xml/com.sun.org.apache.xerces.internal.util=ALL-UNNAMED"
	49	JAVA_OPTS="$JAVA_OPTS --add-opens java.xml/com.sun.xml.internal.stream=ALL-UNNAMED"
	50	fi
	51
43	52	# * Set options
44	53	# *************
45	54	JAVA_OPTS="$JAVA_OPTS -Xmx2048m -Xss4m"

+42

-31

xstream-jmh/src/reference/base64.txt less more

0		Benchmark (codec) (data) (driverFactory) (operation) Mode Cnt Score Error Units
1		Base64Benchmark.run xstreamInternal small N/A encode avgt 16 422.691 ± 0.805 ns/op
2		Base64Benchmark.run xstreamInternal small N/A decode avgt 16 401.744 ± 41.549 ns/op
3		Base64Benchmark.run xstreamInternal medium N/A encode avgt 16 87980.151 ± 1758.463 ns/op
4		Base64Benchmark.run xstreamInternal medium N/A decode avgt 16 90334.626 ± 272.486 ns/op
5		Base64Benchmark.run xstreamInternal big N/A encode avgt 16 26829622.608 ± 219338.574 ns/op
6		Base64Benchmark.run xstreamInternal big N/A decode avgt 16 25760733.427 ± 892724.693 ns/op
7		Base64Benchmark.run dataTypeConverter small N/A encode avgt 16 116.452 ± 4.685 ns/op
8		Base64Benchmark.run dataTypeConverter small N/A decode avgt 16 156.041 ± 0.232 ns/op
9		Base64Benchmark.run dataTypeConverter medium N/A encode avgt 16 22025.833 ± 871.377 ns/op
10		Base64Benchmark.run dataTypeConverter medium N/A decode avgt 16 29199.416 ± 1366.584 ns/op
11		Base64Benchmark.run dataTypeConverter big N/A encode avgt 16 10173025.627 ± 14375.190 ns/op
12		Base64Benchmark.run dataTypeConverter big N/A decode avgt 16 7645745.427 ± 378490.086 ns/op
13		Base64Benchmark.run javaUtil small N/A encode avgt 16 113.013 ± 10.478 ns/op
14		Base64Benchmark.run javaUtil small N/A decode avgt 16 83.877 ± 0.298 ns/op
15		Base64Benchmark.run javaUtil medium N/A encode avgt 16 14425.936 ± 39.693 ns/op
16		Base64Benchmark.run javaUtil medium N/A decode avgt 16 13846.668 ± 779.799 ns/op
17		Base64Benchmark.run javaUtil big N/A encode avgt 16 6149989.342 ± 199233.302 ns/op
18		Base64Benchmark.run javaUtil big N/A decode avgt 16 5342302.204 ± 18186.258 ns/op
19		Base64Benchmark.run commonsCodec small N/A encode avgt 16 6390.608 ± 72.975 ns/op
20		Base64Benchmark.run commonsCodec small N/A decode avgt 16 6385.171 ± 89.129 ns/op
21		Base64Benchmark.run commonsCodec medium N/A encode avgt 16 68085.447 ± 138.335 ns/op
22		Base64Benchmark.run commonsCodec medium N/A decode avgt 16 68183.900 ± 6315.687 ns/op
23		Base64Benchmark.run commonsCodec big N/A encode avgt 16 29120324.467 ± 745830.065 ns/op
24		Base64Benchmark.run commonsCodec big N/A decode avgt 16 22775668.935 ± 627458.817 ns/op
25		Base64Benchmark.run migBase small N/A encode avgt 16 107.834 ± 0.218 ns/op
26		Base64Benchmark.run migBase small N/A decode avgt 16 110.671 ± 5.789 ns/op
27		Base64Benchmark.run migBase medium N/A encode avgt 16 19048.637 ± 1321.623 ns/op
28		Base64Benchmark.run migBase medium N/A decode avgt 16 22464.136 ± 30.464 ns/op
29		Base64Benchmark.run migBase big N/A encode avgt 16 10101223.925 ± 193350.342 ns/op
30		Base64Benchmark.run migBase big N/A decode avgt 16 6967471.163 ± 405344.659 ns/op
	0	# JMH version: 1.21
	1	# VM version: JDK 11.0.13, OpenJDK 64-Bit Server VM, 11.0.13+8
	2	# VM invoker: /opt/openjdk-bin-11.0.13_p8/bin/java
	3	# VM options: -Xmx2048m -Xss4m
	4	# Warmup: 5 iterations, 10 s each
	5	# Measurement: 16 iterations, 10 s each
	6	# Timeout: 10 min per iteration
	7	# Threads: 4 threads, will synchronize iterations
	8	# Benchmark mode: Average time, time/op
	9	# Benchmark: com.thoughtworks.xstream.benchmark.jmh.Base64Benchmark
	10
	11	Benchmark (codec) (data) (driverFactory) (operation) Mode Cnt Score Error Units
	12	Base64Benchmark.run xstreamInternal small N/A encode avgt 16 317.846 ± 10.973 ns/op
	13	Base64Benchmark.run xstreamInternal small N/A decode avgt 16 377.680 ± 21.156 ns/op
	14	Base64Benchmark.run xstreamInternal medium N/A encode avgt 16 98465.757 ± 5610.134 ns/op
	15	Base64Benchmark.run xstreamInternal medium N/A decode avgt 16 79392.274 ± 4716.703 ns/op
	16	Base64Benchmark.run xstreamInternal big N/A encode avgt 16 30390677.188 ± 934410.490 ns/op
	17	Base64Benchmark.run xstreamInternal big N/A decode avgt 16 27259197.002 ± 2069094.026 ns/op
	18	Base64Benchmark.run dataTypeConverter small N/A encode avgt 16 124.194 ± 6.328 ns/op
	19	Base64Benchmark.run dataTypeConverter small N/A decode avgt 16 122.598 ± 3.525 ns/op
	20	Base64Benchmark.run dataTypeConverter medium N/A encode avgt 16 21026.423 ± 658.662 ns/op
	21	Base64Benchmark.run dataTypeConverter medium N/A decode avgt 16 29866.717 ± 2025.820 ns/op
	22	Base64Benchmark.run dataTypeConverter big N/A encode avgt 16 10501691.522 ± 231137.592 ns/op
	23	Base64Benchmark.run dataTypeConverter big N/A decode avgt 16 7861959.972 ± 390429.038 ns/op
	24	Base64Benchmark.run javaUtil small N/A encode avgt 16 105.755 ± 9.011 ns/op
	25	Base64Benchmark.run javaUtil small N/A decode avgt 16 105.170 ± 9.459 ns/op
	26	Base64Benchmark.run javaUtil medium N/A encode avgt 16 15352.908 ± 681.790 ns/op
	27	Base64Benchmark.run javaUtil medium N/A decode avgt 16 14575.556 ± 1391.487 ns/op
	28	Base64Benchmark.run javaUtil big N/A encode avgt 16 6204528.259 ± 221575.512 ns/op
	29	Base64Benchmark.run javaUtil big N/A decode avgt 16 5536117.686 ± 50116.580 ns/op
	30	Base64Benchmark.run commonsCodec small N/A encode avgt 16 6073.407 ± 105.387 ns/op
	31	Base64Benchmark.run commonsCodec small N/A decode avgt 16 5925.544 ± 112.251 ns/op
	32	Base64Benchmark.run commonsCodec medium N/A encode avgt 16 65550.077 ± 5236.951 ns/op
	33	Base64Benchmark.run commonsCodec medium N/A decode avgt 16 63468.417 ± 2391.871 ns/op
	34	Base64Benchmark.run commonsCodec big N/A encode avgt 16 35735178.209 ± 747201.282 ns/op
	35	Base64Benchmark.run commonsCodec big N/A decode avgt 16 26102838.095 ± 1158179.239 ns/op
	36	Base64Benchmark.run migBase small N/A encode avgt 16 92.392 ± 1.986 ns/op
	37	Base64Benchmark.run migBase small N/A decode avgt 16 98.270 ± 4.536 ns/op
	38	Base64Benchmark.run migBase medium N/A encode avgt 16 21395.915 ± 1590.397 ns/op
	39	Base64Benchmark.run migBase medium N/A decode avgt 16 21835.719 ± 421.423 ns/op
	40	Base64Benchmark.run migBase big N/A encode avgt 16 9712102.955 ± 26042.252 ns/op
	41	Base64Benchmark.run migBase big N/A decode avgt 16 7459294.378 ± 450290.060 ns/op

+14

-3

xstream-jmh/src/reference/converterType.txt less more

	0	# JMH version: 1.21
	1	# VM version: JDK 11.0.13, OpenJDK 64-Bit Server VM, 11.0.13+8
	2	# VM invoker: /opt/openjdk-bin-11.0.13_p8/bin/java
	3	# VM options: -Xmx2048m -Xss4m
	4	# Warmup: 5 iterations, 10 s each
	5	# Measurement: 16 iterations, 10 s each
	6	# Timeout: 10 min per iteration
	7	# Threads: 4 threads, will synchronize iterations
	8	# Benchmark mode: Average time, time/op
	9	# Benchmark: com.thoughtworks.xstream.benchmark.jmh.ConverterTypeBenchmark
	10
0	11	Benchmark Mode Cnt Score Error Units
1		ConverterTypeBenchmark.custom avgt 16 9324531.713 ± 12182.415 ns/op
2		ConverterTypeBenchmark.javaBean avgt 16 19658157.449 ± 84554.958 ns/op
3		ConverterTypeBenchmark.reflection avgt 16 20859870.075 ± 2470686.138 ns/op
	12	ConverterTypeBenchmark.custom avgt 16 9666231.183 ± 653048.972 ns/op
	13	ConverterTypeBenchmark.javaBean avgt 16 18907234.350 ± 361662.695 ns/op
	14	ConverterTypeBenchmark.reflection avgt 16 20777749.230 ± 1970979.445 ns/op

+16

-5

xstream-jmh/src/reference/nameCoder.txt less more

	0	# JMH version: 1.21
	1	# VM version: JDK 11.0.13, OpenJDK 64-Bit Server VM, 11.0.13+8
	2	# VM invoker: /opt/openjdk-bin-11.0.13_p8/bin/java
	3	# VM options: -Xmx2048m -Xss4m
	4	# Warmup: 5 iterations, 10 s each
	5	# Measurement: 25 iterations, 10 s each
	6	# Timeout: 10 min per iteration
	7	# Threads: 4 threads, will synchronize iterations
	8	# Benchmark mode: Average time, time/op
	9	# Benchmark: com.thoughtworks.xstream.benchmark.jmh.NameCoderBenchmark
	10
0	11	Benchmark Mode Cnt Score Error Units
1		NameCoderBenchmark.cachedEscapedUnderscoreCoding avgt 25 4339193.305 ± 117708.908 ns/op
2		NameCoderBenchmark.dollarCoding avgt 25 4570684.356 ± 169447.323 ns/op
3		NameCoderBenchmark.escapedUnderscoreCoding avgt 25 6322642.927 ± 176678.518 ns/op
4		NameCoderBenchmark.noCoding avgt 25 3917564.563 ± 150151.093 ns/op
5		NameCoderBenchmark.xmlFriendlyCoding avgt 25 5102368.550 ± 129434.626 ns/op
	12	NameCoderBenchmark.cachedEscapedUnderscoreCoding avgt 25 4708590.172 ± 218745.678 ns/op
	13	NameCoderBenchmark.dollarCoding avgt 25 4843325.489 ± 291540.806 ns/op
	14	NameCoderBenchmark.escapedUnderscoreCoding avgt 25 6496347.261 ± 279498.799 ns/op
	15	NameCoderBenchmark.noCoding avgt 25 4212316.966 ± 243972.124 ns/op
	16	NameCoderBenchmark.xmlFriendlyCoding avgt 25 5122809.546 ± 219143.950 ns/op

+50

-39

xstream-jmh/src/reference/parsers.txt less more

	0	# JMH version: 1.21
	1	# VM version: JDK 11.0.13, OpenJDK 64-Bit Server VM, 11.0.13+8
	2	# VM invoker: /opt/openjdk-bin-11.0.13_p8/bin/java
	3	# VM options: -Xmx2048m -Xss4m
	4	# Warmup: 5 iterations, 10 s each
	5	# Measurement: 15 iterations, 10 s each
	6	# Timeout: 10 min per iteration
	7	# Threads: 1 thread, will synchronize iterations
	8	# Benchmark mode: Average time, time/op
	9	# Benchmark: com.thoughtworks.xstream.benchmark.jmh.ParserBenchmark
	10
0	11	Benchmark (driverFactory) Mode Cnt Score Error Units
1		ParserBenchmark.parseBigText MXParser avgt 15 2131602.489 ± 25703.664 ns/op
2		ParserBenchmark.parseBigText Xpp3 avgt 15 2084284.951 ± 14376.744 ns/op
3		ParserBenchmark.parseBigText kXML2 avgt 15 3561706.234 ± 28443.949 ns/op
4		ParserBenchmark.parseBigText JDKStax avgt 15 8450930.541 ± 114260.574 ns/op
5		ParserBenchmark.parseBigText Woodstox avgt 15 1959085.951 ± 4958.052 ns/op
6		ParserBenchmark.parseBigText BEAStax avgt 15 3182516.188 ± 38272.584 ns/op
7		ParserBenchmark.parseBigText DOM avgt 15 10568442.558 ± 153957.726 ns/op
8		ParserBenchmark.parseBigText DOM4J avgt 15 8543670.534 ± 35374.800 ns/op
9		ParserBenchmark.parseBigText JDom avgt 15 6379300.940 ± 39285.532 ns/op
10		ParserBenchmark.parseBigText JDom2 avgt 15 5929805.928 ± 118564.329 ns/op
11		ParserBenchmark.parseBigText Xom avgt 15 7968868.873 ± 26730.256 ns/op
12		ParserBenchmark.parseBigText Binary avgt 15 1065228.134 ± 5642.331 ns/op
13		ParserBenchmark.parseBigText Jettison avgt 15 3682704.689 ± 56568.770 ns/op
14		ParserBenchmark.parseManyChildren MXParser avgt 15 814691.675 ± 3495.652 ns/op
15		ParserBenchmark.parseManyChildren Xpp3 avgt 15 754593.348 ± 16963.908 ns/op
16		ParserBenchmark.parseManyChildren kXML2 avgt 15 855787.083 ± 2364.443 ns/op
17		ParserBenchmark.parseManyChildren JDKStax avgt 15 885917.070 ± 27740.420 ns/op
18		ParserBenchmark.parseManyChildren Woodstox avgt 15 630843.461 ± 16713.507 ns/op
19		ParserBenchmark.parseManyChildren BEAStax avgt 15 667706.032 ± 11089.959 ns/op
20		ParserBenchmark.parseManyChildren DOM avgt 15 59894584.643 ± 305491.167 ns/op
21		ParserBenchmark.parseManyChildren DOM4J avgt 15 79125701.566 ± 1579465.065 ns/op
22		ParserBenchmark.parseManyChildren JDom avgt 15 6887733.303 ± 102619.220 ns/op
23		ParserBenchmark.parseManyChildren JDom2 avgt 15 9876176.832 ± 48837.176 ns/op
24		ParserBenchmark.parseManyChildren Xom avgt 15 34141742.595 ± 475598.891 ns/op
25		ParserBenchmark.parseManyChildren Binary avgt 15 405493.660 ± 4239.044 ns/op
26		ParserBenchmark.parseManyChildren Jettison avgt 15 601803.834 ± 2160.122 ns/op
27		ParserBenchmark.parseNestedElements MXParser avgt 15 13287597.794 ± 343543.709 ns/op
28		ParserBenchmark.parseNestedElements Xpp3 avgt 15 13056389.184 ± 132562.496 ns/op
29		ParserBenchmark.parseNestedElements kXML2 avgt 15 36819091.742 ± 300358.967 ns/op
30		ParserBenchmark.parseNestedElements JDKStax avgt 15 868883.676 ± 15697.149 ns/op
31		ParserBenchmark.parseNestedElements Woodstox avgt 15 835465.393 ± 19498.030 ns/op
32		ParserBenchmark.parseNestedElements BEAStax avgt 15 603986.803 ± 2529.449 ns/op
33		ParserBenchmark.parseNestedElements DOM avgt 15 5382390.375 ± 82043.169 ns/op
34		ParserBenchmark.parseNestedElements DOM4J avgt 15 5372787.809 ± 127206.586 ns/op
35		ParserBenchmark.parseNestedElements JDom avgt 15 13598531.633 ± 96889.652 ns/op
36		ParserBenchmark.parseNestedElements JDom2 avgt 15 12503949.903 ± 502488.951 ns/op
37		ParserBenchmark.parseNestedElements Xom avgt 15 5425911.128 ± 23777.824 ns/op
38		ParserBenchmark.parseNestedElements Binary avgt 15 284620.649 ± 1734.011 ns/op
39		ParserBenchmark.parseNestedElements Jettison avgt 15 678187.271 ± 19300.714 ns/op
	12	ParserBenchmark.parseBigText MXParser N/A avgt 15 2090782.658 ± 35357.342 ns/op
	13	ParserBenchmark.parseBigText Xpp3 N/A avgt 15 2112720.726 ± 16553.078 ns/op
	14	ParserBenchmark.parseBigText kXML2 N/A avgt 15 3524809.724 ± 19870.806 ns/op
	15	ParserBenchmark.parseBigText JDKStax N/A avgt 15 8377577.926 ± 106615.592 ns/op
	16	ParserBenchmark.parseBigText Woodstox N/A avgt 15 2048393.986 ± 17640.070 ns/op
	17	ParserBenchmark.parseBigText BEAStax N/A avgt 15 3229409.245 ± 10436.313 ns/op
	18	ParserBenchmark.parseBigText DOM N/A avgt 15 10553104.053 ± 149802.579 ns/op
	19	ParserBenchmark.parseBigText DOM4J N/A avgt 15 8344385.552 ± 43187.879 ns/op
	20	ParserBenchmark.parseBigText JDom N/A avgt 15 6347929.561 ± 15207.545 ns/op
	21	ParserBenchmark.parseBigText JDom2 N/A avgt 15 5843003.401 ± 81856.524 ns/op
	22	ParserBenchmark.parseBigText Xom N/A avgt 15 7986743.807 ± 76081.180 ns/op
	23	ParserBenchmark.parseBigText Binary N/A avgt 15 1111084.176 ± 25347.556 ns/op
	24	ParserBenchmark.parseBigText Jettison N/A avgt 15 3617569.912 ± 52394.798 ns/op
	25	ParserBenchmark.parseManyChildren MXParser N/A avgt 15 687905.727 ± 736.978 ns/op
	26	ParserBenchmark.parseManyChildren Xpp3 N/A avgt 15 701583.341 ± 8292.747 ns/op
	27	ParserBenchmark.parseManyChildren kXML2 N/A avgt 15 902275.516 ± 13722.210 ns/op
	28	ParserBenchmark.parseManyChildren JDKStax N/A avgt 15 700802.493 ± 1296.971 ns/op
	29	ParserBenchmark.parseManyChildren Woodstox N/A avgt 15 592419.675 ± 676.287 ns/op
	30	ParserBenchmark.parseManyChildren BEAStax N/A avgt 15 713536.588 ± 9727.196 ns/op
	31	ParserBenchmark.parseManyChildren DOM N/A avgt 15 58632015.971 ± 434065.687 ns/op
	32	ParserBenchmark.parseManyChildren DOM4J N/A avgt 15 78757514.580 ± 102828.225 ns/op
	33	ParserBenchmark.parseManyChildren JDom N/A avgt 15 7102275.757 ± 107146.438 ns/op
	34	ParserBenchmark.parseManyChildren JDom2 N/A avgt 15 9827411.961 ± 41027.737 ns/op
	35	ParserBenchmark.parseManyChildren Xom N/A avgt 15 33930673.083 ± 35947.337 ns/op
	36	ParserBenchmark.parseManyChildren Binary N/A avgt 15 402398.155 ± 6888.370 ns/op
	37	ParserBenchmark.parseManyChildren Jettison N/A avgt 15 670870.406 ± 3751.317 ns/op
	38	ParserBenchmark.parseNestedElements MXParser N/A avgt 15 12616894.304 ± 19439.058 ns/op
	39	ParserBenchmark.parseNestedElements Xpp3 N/A avgt 15 13007586.291 ± 205203.155 ns/op
	40	ParserBenchmark.parseNestedElements kXML2 N/A avgt 15 35970087.264 ± 28849.980 ns/op
	41	ParserBenchmark.parseNestedElements JDKStax N/A avgt 15 1074253.465 ± 11588.851 ns/op
	42	ParserBenchmark.parseNestedElements Woodstox N/A avgt 15 725660.904 ± 11268.905 ns/op
	43	ParserBenchmark.parseNestedElements BEAStax N/A avgt 15 648266.777 ± 2120.991 ns/op
	44	ParserBenchmark.parseNestedElements DOM N/A avgt 15 5321471.291 ± 2935.512 ns/op
	45	ParserBenchmark.parseNestedElements DOM4J N/A avgt 15 5711026.345 ± 145819.473 ns/op
	46	ParserBenchmark.parseNestedElements JDom N/A avgt 15 16861677.394 ± 219174.474 ns/op
	47	ParserBenchmark.parseNestedElements JDom2 N/A avgt 15 12085612.224 ± 31108.386 ns/op
	48	ParserBenchmark.parseNestedElements Xom N/A avgt 15 5788240.908 ± 100434.947 ns/op
	49	ParserBenchmark.parseNestedElements Binary N/A avgt 15 315810.980 ± 3522.052 ns/op
	50	ParserBenchmark.parseNestedElements Jettison N/A avgt 15 735876.170 ± 904.031 ns/op

+17

-6

xstream-jmh/src/reference/stringConverter.txt less more

	0	# JMH version: 1.21
	1	# VM version: JDK 11.0.13, OpenJDK 64-Bit Server VM, 11.0.13+8
	2	# VM invoker: /opt/openjdk-bin-11.0.13_p8/bin/java
	3	# VM options: -Xmx2048m -Xss4m
	4	# Warmup: 5 iterations, 10 s each
	5	# Measurement: 16 iterations, 10 s each
	6	# Timeout: 10 min per iteration
	7	# Threads: 4 threads, will synchronize iterations
	8	# Benchmark mode: Average time, time/op
	9	# Benchmark: com.thoughtworks.xstream.benchmark.jmh.StringConverterBenchmark
	10
0	11	Benchmark Mode Cnt Score Error Units
1		StringConverterBenchmark.intern avgt 16 14262839.973 ± 1233510.125 ns/op
2		StringConverterBenchmark.limitedConcurrentMap avgt 16 10538757.220 ± 20805.104 ns/op
3		StringConverterBenchmark.limitedSynchronizedWeakCache avgt 16 11298773.753 ± 13335.307 ns/op
4		StringConverterBenchmark.nonCaching avgt 16 9796296.611 ± 668511.980 ns/op
5		StringConverterBenchmark.unlimitedConcurrentMap avgt 16 11252298.498 ± 215637.373 ns/op
6		StringConverterBenchmark.unlimitedSynchronizedWeakCache avgt 16 11279714.685 ± 22069.538 ns/op
	12	StringConverterBenchmark.intern avgt 16 15280597.717 ± 1118791.550 ns/op
	13	StringConverterBenchmark.limitedConcurrentMap avgt 16 10812523.401 ± 713378.073 ns/op
	14	StringConverterBenchmark.limitedSynchronizedWeakCache avgt 16 11476639.041 ± 222922.084 ns/op
	15	StringConverterBenchmark.nonCaching avgt 16 11982049.168 ± 977812.020 ns/op
	16	StringConverterBenchmark.unlimitedConcurrentMap avgt 16 12196204.773 ± 1159163.270 ns/op
	17	StringConverterBenchmark.unlimitedSynchronizedWeakCache avgt 16 11346761.846 ± 220066.395 ns/op