Pull request #706: Bugfix/ROCKSOLID-10865 adding XStream denylist rec…

…ommendations

Merge in MC/connect from bugfix/ROCKSOLID-10865-switch-xstream-to-use-whitelist-for-api-serialization to development

* commit 'e0d2eac8db982cc5e5bc9fc9f0dc1d93816cb6ab':
  Now including Java 9+ JVM options by default.
  Fixing unit test.
  Adding XStream recommendations to denylist.

client/Mirth Connect Client.launch

@@ -1,16 +1,18 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <launchConfiguration type="org.eclipse.jdt.launching.localJavaApplication">
-<listAttribute key="org.eclipse.debug.core.MAPPED_RESOURCE_PATHS">
-<listEntry value="/Client/src/com/mirth/connect/client/ui/Mirth.java"/>
-</listAttribute>
-<listAttribute key="org.eclipse.debug.core.MAPPED_RESOURCE_TYPES">
-<listEntry value="1"/>
-</listAttribute>
-<listAttribute key="org.eclipse.debug.ui.favoriteGroups">
-<listEntry value="org.eclipse.debug.ui.launchGroup.debug"/>
-<listEntry value="org.eclipse.debug.ui.launchGroup.run"/>
-</listAttribute>
-<stringAttribute key="org.eclipse.jdt.launching.MAIN_TYPE" value="com.mirth.connect.client.ui.Mirth"/>
-<stringAttribute key="org.eclipse.jdt.launching.PROGRAM_ARGUMENTS" value="https://localhost:8443 0.0.0 admin admin"/>
-<stringAttribute key="org.eclipse.jdt.launching.PROJECT_ATTR" value="Client"/>
+    <listAttribute key="org.eclipse.debug.core.MAPPED_RESOURCE_PATHS">
+        <listEntry value="/Client/src/com/mirth/connect/client/ui/Mirth.java"/>
+    </listAttribute>
+    <listAttribute key="org.eclipse.debug.core.MAPPED_RESOURCE_TYPES">
+        <listEntry value="1"/>
+    </listAttribute>
+    <listAttribute key="org.eclipse.debug.ui.favoriteGroups">
+        <listEntry value="org.eclipse.debug.ui.launchGroup.debug"/>
+        <listEntry value="org.eclipse.debug.ui.launchGroup.run"/>
+    </listAttribute>
+    <stringAttribute key="org.eclipse.jdt.launching.MAIN_TYPE" value="com.mirth.connect.client.ui.Mirth"/>
+    <stringAttribute key="org.eclipse.jdt.launching.MODULE_NAME" value="Client"/>
+    <stringAttribute key="org.eclipse.jdt.launching.PROGRAM_ARGUMENTS" value="https://localhost:8443 0.0.0 admin admin"/>
+    <stringAttribute key="org.eclipse.jdt.launching.PROJECT_ATTR" value="Client"/>
+    <stringAttribute key="org.eclipse.jdt.launching.VM_ARGUMENTS" value="-Dcom.sun.webkit.useHTTP2Loader=false&#10;--add-modules=java.sql.rowset,javafx.controls,javafx.fxml&#10;--add-exports=java.base/com.sun.crypto.provider=ALL-UNNAMED&#10;--add-exports=java.base/sun.security.provider=ALL-UNNAMED&#10;--add-opens=java.base/java.lang=ALL-UNNAMED&#10;--add-opens=java.base/java.lang.reflect=ALL-UNNAMED&#10;--add-opens=java.base/java.math=ALL-UNNAMED&#10;--add-opens=java.base/java.net=ALL-UNNAMED&#10;--add-opens=java.base/java.io=ALL-UNNAMED&#10;--add-opens=java.base/java.security=ALL-UNNAMED&#10;--add-opens=java.base/java.security.cert=ALL-UNNAMED&#10;--add-opens=java.base/java.text=ALL-UNNAMED&#10;--add-opens=java.base/java.util=ALL-UNNAMED&#10;--add-opens=java.base/java.util.concurrent=ALL-UNNAMED&#10;--add-opens=java.base/sun.security.pkcs=ALL-UNNAMED&#10;--add-opens=java.base/sun.security.rsa=ALL-UNNAMED&#10;--add-opens=java.base/sun.security.x509=ALL-UNNAMED&#10;--add-opens=java.desktop/com.apple.eawt=ALL-UNNAMED&#10;--add-opens=java.desktop/com.apple.eio=ALL-UNNAMED&#10;--add-opens=java.desktop/java.awt=ALL-UNNAMED&#10;--add-opens=java.desktop/java.awt.color=ALL-UNNAMED&#10;--add-opens=java.desktop/java.awt.font=ALL-UNNAMED&#10;--add-opens=java.desktop/javax.swing=ALL-UNNAMED&#10;--add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED"/>
 </launchConfiguration>

donkey/src/main/java/com/mirth/connect/donkey/util/xstream/XStreamSerializer.java

@@ -72,6 +72,21 @@ protected MapperWrapper wrapMapper(MapperWrapper next) {
          */
         xstream.addPermission(AnyTypePermission.ANY);
 
+        // Including all blacklist recommendations from XStream
+        // @formatter:off
+        xstream.denyTypesByWildcard(new String[]{ "sun.reflect.**", "sun.tracing.**", "com.sun.corba.**" });
+        xstream.denyTypesByRegExp(new String[]{ ".*\\.ws\\.client\\.sei\\..*", ".*\\$ProxyLazyValue", "com\\.sun\\.jndi\\..*Enumerat(?:ion|or)", ".*\\$URLData", ".*\\.xsltc\\.trax\\.TemplatesImpl" });
+        xstream.denyTypesByRegExp(new String[]{ ".*\\.Lazy(?:Search)?Enumeration.*", "(?:java|sun)\\.rmi\\..*" });
+        xstream.denyTypes(new String[]{ "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", "com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator" });
+        xstream.denyTypesByRegExp(new String[]{ ".*\\$ServiceNameIterator", "(javax|sun.swing)\\..*LazyValue", "javafx\\.collections\\.ObservableList\\$.*", ".*\\.bcel\\..*\\.util\\.ClassLoader" });
+        xstream.denyTypeHierarchy(java.io.InputStream.class );
+        xstream.denyTypeHierarchy(java.nio.channels.Channel.class );
+        xstream.denyTypeHierarchy(javax.activation.DataSource.class );
+        xstream.denyTypeHierarchy(javax.sql.rowset.BaseRowSet.class );
+        xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" });
+        xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
+        // @formatter:on
+
         if (classLoader != null) {
             xstream.setClassLoader(classLoader);
         }

server/Mirth Connect Server.launch

@@ -1,17 +1,18 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <launchConfiguration type="org.eclipse.jdt.launching.localJavaApplication">
-<stringAttribute key="bad_container_name" value="\Server\eclipse-runconfig"/>
-<listAttribute key="org.eclipse.debug.core.MAPPED_RESOURCE_PATHS">
-<listEntry value="/Server/src/com/mirth/connect/server/Mirth.java"/>
-</listAttribute>
-<listAttribute key="org.eclipse.debug.core.MAPPED_RESOURCE_TYPES">
-<listEntry value="1"/>
-</listAttribute>
-<listAttribute key="org.eclipse.debug.ui.favoriteGroups">
-<listEntry value="org.eclipse.debug.ui.launchGroup.debug"/>
-<listEntry value="org.eclipse.debug.ui.launchGroup.run"/>
-</listAttribute>
-<stringAttribute key="org.eclipse.jdt.launching.MAIN_TYPE" value="com.mirth.connect.server.Mirth"/>
-<stringAttribute key="org.eclipse.jdt.launching.PROJECT_ATTR" value="Server"/>
-<stringAttribute key="org.eclipse.jdt.launching.VM_ARGUMENTS" value="-Xmx512m&#10;-Djava.awt.headless=true&#10;-Dapple.awt.UIElement=true"/>
+    <stringAttribute key="bad_container_name" value="\Server\eclipse-runconfig"/>
+    <listAttribute key="org.eclipse.debug.core.MAPPED_RESOURCE_PATHS">
+        <listEntry value="/Server/src/com/mirth/connect/server/Mirth.java"/>
+    </listAttribute>
+    <listAttribute key="org.eclipse.debug.core.MAPPED_RESOURCE_TYPES">
+        <listEntry value="1"/>
+    </listAttribute>
+    <listAttribute key="org.eclipse.debug.ui.favoriteGroups">
+        <listEntry value="org.eclipse.debug.ui.launchGroup.debug"/>
+        <listEntry value="org.eclipse.debug.ui.launchGroup.run"/>
+    </listAttribute>
+    <stringAttribute key="org.eclipse.jdt.launching.MAIN_TYPE" value="com.mirth.connect.server.Mirth"/>
+    <stringAttribute key="org.eclipse.jdt.launching.MODULE_NAME" value="Server"/>
+    <stringAttribute key="org.eclipse.jdt.launching.PROJECT_ATTR" value="Server"/>
+    <stringAttribute key="org.eclipse.jdt.launching.VM_ARGUMENTS" value="-Xmx512m&#10;-Djava.awt.headless=true&#10;-Dapple.awt.UIElement=true&#10;--add-modules=java.sql.rowset&#10;--add-exports=java.base/com.sun.crypto.provider=ALL-UNNAMED&#10;--add-exports=java.base/sun.security.provider=ALL-UNNAMED&#10;--add-opens=java.base/java.lang=ALL-UNNAMED&#10;--add-opens=java.base/java.lang.reflect=ALL-UNNAMED&#10;--add-opens=java.base/java.math=ALL-UNNAMED&#10;--add-opens=java.base/java.net=ALL-UNNAMED&#10;--add-opens=java.base/java.security=ALL-UNNAMED&#10;--add-opens=java.base/java.security.cert=ALL-UNNAMED&#10;--add-opens=java.base/java.text=ALL-UNNAMED&#10;--add-opens=java.base/java.util=ALL-UNNAMED&#10;--add-opens=java.base/sun.security.pkcs=ALL-UNNAMED&#10;--add-opens=java.base/sun.security.rsa=ALL-UNNAMED&#10;--add-opens=java.base/sun.security.x509=ALL-UNNAMED&#10;--add-opens=java.desktop/java.awt=ALL-UNNAMED&#10;--add-opens=java.desktop/java.awt.color=ALL-UNNAMED&#10;--add-opens=java.desktop/java.awt.font=ALL-UNNAMED&#10;--add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED"/>
 </launchConfiguration>

server/docs/README.txt

@@ -56,9 +56,11 @@ You may also notice a security warning when starting the administrator (dialog b
 4. Running Mirth Connect in Java 9 or greater
 ==================================================
 
-In order to run Mirth Connect in Java 9 or greater, copy the options from /docs/mcservice-java9+.vmoptions and append them to either mcserver.vmoptions or mcservice.vmoptions, depending on your deployment. Then restart Mirth Connect.
+When running Mirth Connect in Java 9+, there are separate JVM options that need to be set.
 
-To run the Mirth Connect Command Line Interface, create a new file named mccommand.vmoptions in the Mirth Connect root directory. Copy all of the options from /docs/mcservice-java9+.vmoptions into mccommand.vmoptions and save before launching the Command Line Interface.
+As of version 4.4, these options will be automatically included in the Java command string as needed, when running mcserver, mcservice, or mccommand.
+
+If you are running Mirth Connect manually with your own Java command string, and you are using Java 9+, then make sure to include the options from /docs/mcservice-java9+.vmoptions.
 
 
 5. More Information

server/src/com/mirth/connect/model/converters/ObjectXMLSerializer.java

@@ -17,6 +17,7 @@
 import java.util.List;
 import java.util.Set;
 
+import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -226,6 +227,23 @@ public String getNormalizedVersion() {
         return normalizedVersion;
     }
 
+    public void denyTypes(List<String> types, List<String> wildcardTypes) {
+        if (CollectionUtils.isNotEmpty(types)) {
+            String[] typesArray = types.toArray(new String[types.size()]);
+            getXStream().denyTypes(typesArray);
+            if (instanceWithReferences != null) {
+                instanceWithReferences.getXStream().denyTypes(typesArray);
+            }
+        }
+        if (CollectionUtils.isNotEmpty(wildcardTypes)) {
+            String[] wildcardTypesArray = wildcardTypes.toArray(new String[wildcardTypes.size()]);
+            getXStream().denyTypesByWildcard(wildcardTypesArray);
+            if (instanceWithReferences != null) {
+                instanceWithReferences.getXStream().denyTypesByWildcard(wildcardTypesArray);
+            }
+        }
+    }
+
     @Override
     public String serialize(Object object) {
         try {

server/src/com/mirth/connect/server/controllers/DefaultConfigurationController.java

@@ -190,6 +190,7 @@ public class DefaultConfigurationController extends ConfigurationController {
     private static final String STATS_UPDATE_INTERVAL = "donkey.statsupdateinterval";
     private static final String RHINO_LANGUAGE_VERSION = "rhino.languageversion";
     private static final String SERVER_STARTUP_LOCK_SLEEP = "server.startuplocksleep";
+    private static final String XSTREAM_DENY_TYPES = "xstream.denytypes";
 
     private static final String DEFAULT_STOREPASS = "81uWxplDtB";
 
@@ -401,6 +402,22 @@ public void initialize() {
             }
 
             startupLockSleep = NumberUtils.toInt(mirthConfig.getString(SERVER_STARTUP_LOCK_SLEEP), 0);
+
+            String[] xstreamDenyTypesArray = mirthConfig.getStringArray(XSTREAM_DENY_TYPES);
+            if (ArrayUtils.isNotEmpty(xstreamDenyTypesArray)) {
+                List<String> denyTypes = new ArrayList<String>();
+                List<String> denyWildcards = new ArrayList<String>();
+                for (String denyType : xstreamDenyTypesArray) {
+                    if (StringUtils.isNotBlank(denyType)) {
+                        if (StringUtils.contains(denyType, "*")) {
+                            denyWildcards.add(denyType);
+                        } else {
+                            denyTypes.add(denyType);
+                        }
+                    }
+                }
+                ObjectXMLSerializer.getInstance().denyTypes(denyTypes, denyWildcards);
+            }
         } catch (Exception e) {
             logger.error("Failed to initialize configuration controller", e);
         } finally {

server/test/com/mirth/connect/model/converters/ObjectXMLSerializerTest.java

@@ -18,7 +18,9 @@
 import com.mirth.connect.client.core.Version;
 import com.mirth.connect.donkey.model.message.ConnectorMessage;
 import com.mirth.connect.donkey.model.message.MapContent;
-import com.mirth.connect.server.userutil.MirthCachedRowSet;
+import com.thoughtworks.xstream.XStream;
+import com.thoughtworks.xstream.io.xml.Xpp3Driver;
+import com.thoughtworks.xstream.security.AnyTypePermission;
 
 public class ObjectXMLSerializerTest {
 
@@ -35,7 +37,10 @@ public static void setup() throws Exception {
     public void testInvalidMapContent() throws Exception {
         ConnectorMessage connectorMessage = new ConnectorMessage();
         Map<String, Object> map = new HashMap<String, Object>();
-        map.put("key", ObjectXMLSerializer.getInstance().deserialize(CACHED_ROW_SET_XML, MirthCachedRowSet.class));
+        // Manually allow all types here to deserialize an invalid value
+        XStream xstream = new XStream(new Xpp3Driver());
+        xstream.addPermission(AnyTypePermission.ANY);
+        map.put("key", xstream.fromXML(CACHED_ROW_SET_XML));
         connectorMessage.setChannelMapContent(new MapContent(map, true));
 
         // Shouldn't cause any errors