JBEHAVE-1432 Configured XStream default security

jbehave · Jan 17, 2021 · 4ac7645 · 4ac7645
1 parent 82d196c
commit 4ac7645
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 11 deletions.
diff --git a/jbehave-core/pom.xml b/jbehave-core/pom.xml
@@ -66,7 +66,7 @@
     <dependency>
       <groupId>com.thoughtworks.xstream</groupId>
       <artifactId>xstream</artifactId>
-      <version>1.4.14</version>
+      <version>1.4.15</version>
     </dependency>
     <dependency>
       <groupId>javax.inject</groupId>

diff --git a/jbehave-core/src/main/java/org/jbehave/core/reporters/CrossReference.java b/jbehave-core/src/main/java/org/jbehave/core/reporters/CrossReference.java
@@ -7,6 +7,7 @@
 import java.util.ArrayList;
 import java.util.List;
 
+import com.thoughtworks.xstream.security.AnyTypePermission;
 import org.jbehave.core.embedder.MatchingStepMonitor.StepMatch;
 import org.jbehave.core.embedder.PerformableTree.ExamplePerformableScenario;
 import org.jbehave.core.embedder.PerformableTree.NormalPerformableScenario;
@@ -103,6 +104,8 @@ private XStream xstream(String format) {
 	}
 
 	private void configure(XStream xstream) {
+		XStream.setupDefaultSecurity(xstream);
+		xstream.addPermission(AnyTypePermission.ANY);
 		xstream.setMode(XStream.NO_REFERENCES);
 		xstream.alias("xref", XRef.class);
 		xstream.alias(name.toLowerCase(), PerformableRoot.class);

diff --git a/jbehave-rest/src/main/java/org/jbehave/core/io/rest/confluence/Confluence.java b/jbehave-rest/src/main/java/org/jbehave/core/io/rest/confluence/Confluence.java
@@ -4,6 +4,7 @@
 
 import java.util.List;
 
+import com.thoughtworks.xstream.security.AnyTypePermission;
 import org.jbehave.core.io.rest.RESTClient;
 
 import com.thoughtworks.xstream.XStream;
@@ -35,16 +36,18 @@ public Page loadPage(String pageUrl, boolean expanded) {
     }
 
     protected XStream configureXStream() {
-        XStream stream = new XStream();
-        stream.addImplicitCollection(Page.class, "link");
-        stream.alias("results", Results.class);
-        stream.alias("result", Page.class);
-        stream.alias("content", Page.class);
-        stream.alias("link", Link.class);
-        stream.useAttributeFor(Link.class, "rel");
-        stream.useAttributeFor(Link.class, "href");
-        stream.ignoreUnknownElements();
-        return stream;
+        XStream xstream = new XStream();
+        XStream.setupDefaultSecurity(xstream);
+        xstream.addPermission(AnyTypePermission.ANY);
+        xstream.addImplicitCollection(Page.class, "link");
+        xstream.alias("results", Results.class);
+        xstream.alias("result", Page.class);
+        xstream.alias("content", Page.class);
+        xstream.alias("link", Link.class);
+        xstream.useAttributeFor(Link.class, "rel");
+        xstream.useAttributeFor(Link.class, "href");
+        xstream.ignoreUnknownElements();
+        return xstream;
     }
 
     public static class Results {

diff --git a/jbehave-rest/src/main/java/org/jbehave/core/io/rest/redmine/LoadFromRedmine.java b/jbehave-rest/src/main/java/org/jbehave/core/io/rest/redmine/LoadFromRedmine.java
@@ -1,5 +1,6 @@
 package org.jbehave.core.io.rest.redmine;
 
+import com.thoughtworks.xstream.security.AnyTypePermission;
 import org.jbehave.core.io.rest.LoadFromREST;
 import org.jbehave.core.io.rest.RESTClient.Type;
 
@@ -38,6 +39,8 @@ protected String text(String entity, Type type) {
 					WikiPage.class).text;
 		case XML:
 			XStream xstream = new XStream();
+			XStream.setupDefaultSecurity(xstream);
+			xstream.addPermission(AnyTypePermission.ANY);
 			xstream.alias("wiki_page", WikiPage.class);
 			xstream.ignoreUnknownElements();
 			return ((WikiPage) xstream.fromXML(entity)).text;

diff --git a/jbehave-rest/src/main/java/org/jbehave/core/io/rest/xwiki/LoadFromXWiki.java b/jbehave-rest/src/main/java/org/jbehave/core/io/rest/xwiki/LoadFromXWiki.java
@@ -2,6 +2,7 @@
 
 import static java.text.MessageFormat.format;
 
+import com.thoughtworks.xstream.security.AnyTypePermission;
 import org.jbehave.core.io.rest.LoadFromREST;
 import org.jbehave.core.io.rest.RESTClient.Type;
 
@@ -36,6 +37,8 @@ protected String text(String entity, Type type) {
 			return gson.fromJson(entity, Page.class).content;
 		case XML:
 			XStream xstream = new XStream();
+			XStream.setupDefaultSecurity(xstream);
+			xstream.addPermission(AnyTypePermission.ANY);
 			xstream.alias("page", Page.class);
 			xstream.ignoreUnknownElements();
 			return ((Page) xstream.fromXML(entity)).content;

diff --git a/jbehave-rest/src/main/java/org/jbehave/core/io/rest/xwiki/UploadToXWiki.java b/jbehave-rest/src/main/java/org/jbehave/core/io/rest/xwiki/UploadToXWiki.java
@@ -1,5 +1,6 @@
 package org.jbehave.core.io.rest.xwiki;
 
+import com.thoughtworks.xstream.security.AnyTypePermission;
 import org.jbehave.core.io.rest.RESTClient.Type;
 import org.jbehave.core.io.rest.Resource;
 import org.jbehave.core.io.rest.UploadToREST;
@@ -34,6 +35,8 @@ protected String entity(Resource resource, Type type) {
 		case XML:
 			page.xmlns = "http://www.xwiki.org";
 			XStream xstream = new XStream();
+			XStream.setupDefaultSecurity(xstream);
+			xstream.addPermission(AnyTypePermission.ANY);
 			xstream.alias("page", Page.class);
 			xstream.useAttributeFor(Page.class, "xmlns");
             xstream.aliasField("xmlns", Page.class, "xmlns");