RHBRMS-2784 - XStream: DoS when unmarshalling void type (kiegroup#928)

jbpm-audit/src/main/java/org/jbpm/process/audit/jms/AsyncAuditLogProducer.java

@@ -170,6 +170,8 @@ protected void sendMessage(Object messageContent, Integer eventType) {
             queueSession = queueConnection.createSession(transacted, Session.AUTO_ACKNOWLEDGE);
 
             XStream xstream = new XStream();
+            String[] voidDeny = {"void.class", "Void.class"};
+            xstream.denyTypes(voidDeny);
             String eventXml = xstream.toXML(messageContent);
             TextMessage message = queueSession.createTextMessage(eventXml);
             message.setIntProperty("EventType", eventType);

jbpm-audit/src/main/java/org/jbpm/process/audit/jms/AsyncAuditLogReceiver.java

@@ -67,8 +67,10 @@ public void onMessage(Message message) {
             try {
                 String messageContent = textMessage.getText();
                 Integer eventType = textMessage.getIntProperty("EventType");
-                XStream xstram = new XStream();
-                Object event = xstram.fromXML(messageContent);
+                XStream xstream = new XStream();
+                String[] voidDeny = {"void.class", "Void.class"};
+                xstream.denyTypes(voidDeny);
+                Object event = xstream.fromXML(messageContent);
 
                 switch (eventType) {
                 case AbstractAuditLogger.AFTER_NODE_ENTER_EVENT_TYPE:

jbpm-services/jbpm-kie-services/src/main/java/org/jbpm/kie/services/impl/store/DeploymentStore.java

@@ -52,6 +52,8 @@ public class DeploymentStore {
 	private TransactionalCommandService commandService;
 
 	public DeploymentStore() {
+		String[] voidDeny = {"void.class", "Void.class"};
+		xstream.denyTypes(voidDeny);
 	    this.xstream.registerConverter(new TransientObjectConverter());
 	}