Allow all types on the defaultSerializer

Allow all types on the defaultSerializer, by allowing all implementation of Object. Log a warning for the user that this isn't secure at all! #1917
AxonFramework · Oct 1, 2021 · 0dafd59 · 0dafd59
1 parent 4b042e9
commit 0dafd59
Showing 1 changed file with 13 additions and 5 deletions.
diff --git a/messaging/src/main/java/org/axonframework/serialization/xml/XStreamSerializer.java b/messaging/src/main/java/org/axonframework/serialization/xml/XStreamSerializer.java
@@ -27,11 +27,14 @@
 import org.axonframework.serialization.Converter;
 import org.axonframework.serialization.RevisionResolver;
 import org.axonframework.serialization.SerializedObject;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.io.ByteArrayOutputStream;
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.OutputStreamWriter;
+import java.lang.invoke.MethodHandles;
 import java.nio.charset.Charset;
 
 /**
@@ -48,6 +51,8 @@
  */
 public class XStreamSerializer extends AbstractXStreamSerializer {
 
+    private static final Logger logger = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+
     /**
      * Instantiate a Builder to be able to create a {@link XStreamSerializer}.
      * <p>
@@ -91,14 +96,17 @@ public static Builder builder() {
      *
      * @return a {@link XStreamSerializer}
      * @deprecated in favor of using the {@link #builder()} to construct an instance using a configured {@code XStream}
-     * instance. Using this shorthand still works, but will use an {@code XStream} instance that is unaware of the
-     * user's types that should be de-/serialized. XStream expects the types or wildcards for the types to be defined to
-     * ensure the application stays secure. As such, it is <b>highly recommended</b> to follow their recommended
-     * approach.
+     * instance. Using this shorthand still works, but will use an {@code XStream} instance that <b>allows
+     * everything</b>. Although this works, XStream expects the types or wildcards for the types to be defined to ensure
+     * the application stays secure. As such, it is <b>highly recommended</b> to follow their recommended approach.
      */
     @Deprecated
     public static XStreamSerializer defaultSerializer() {
-        return builder().xStream(new XStream(new CompactDriver()))
+        logger.warn("An unsecured XStream instance allowing all types is used. "
+                            + "It is strongly recommended to set the security context yourself instead!");
+        XStream xStream = new XStream(new CompactDriver());
+        xStream.allowTypeHierarchy(Object.class);
+        return builder().xStream(xStream)
                         .build();
     }