Prevent deserialization of void.

x-stream · Apr 3, 2017 · b3570be · b3570be
1 parent 228004b
commit b3570be
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 13 deletions.
diff --git a/...va/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java b/...va/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004, 2005 Joe Walnes.
- * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016 XStream Committers.
+ * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016, 2017 XStream Committers.
  * All rights reserved.
  *
  * Created on 08. January 2014 by Joerg Schaible, factored out from SunUnsafeReflectionProvider
@@ -80,14 +80,18 @@ public Object newInstance(final Class<?> type) {
             throw ex;
         }
         ErrorWritingException ex = null;
-        try {
-            return unsafe.allocateInstance(type);
-        } catch (final SecurityException e) {
-            ex = new ObjectAccessException("Cannot construct type", e);
-        } catch (final InstantiationException e) {
-            ex = new ConversionException("Cannot construct type", e);
-        } catch (final IllegalArgumentException e) {
-            ex = new ObjectAccessException("Cannot construct type", e);
+        if (type == void.class || type == Void.class) {
+            ex = new ConversionException("Type void cannot have an instance");
+        } else {
+            try {
+                return unsafe.allocateInstance(type);
+            } catch (final SecurityException e) {
+                ex = new ObjectAccessException("Cannot construct type", e);
+            } catch (final InstantiationException e) {
+                ex = new ConversionException("Cannot construct type", e);
+            } catch (final IllegalArgumentException e) {
+                ex = new ObjectAccessException("Cannot construct type", e);
+            }
         }
         ex.add("construction-type", type.getName());
         throw ex;

diff --git a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 XStream Committers.
+ * Copyright (C) 2014, 2017 XStream Committers.
  * All rights reserved.
  *
  * Created on 09. January 2014 by Joerg Schaible
@@ -8,8 +8,9 @@
 
 import com.thoughtworks.xstream.core.util.Primitives;
 
+
 /**
- * Permission for any primitive type and its boxed counterpart (incl. void).
+ * Permission for any primitive type and its boxed counterpart (excl. void).
  * 
  * @author J&ouml;rg Schaible
  * @since 1.4.7
@@ -22,7 +23,8 @@ public class PrimitiveTypePermission implements TypePermission {
 
     @Override
     public boolean allows(Class<?> type) {
-        return type != null && type.isPrimitive() || Primitives.isBoxed(type);
+        return type != null && type != void.class && type != Void.class && type.isPrimitive()
+            || Primitives.isBoxed(type);
     }
 
     @Override

diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013, 2014 XStream Committers.
+ * Copyright (C) 2013, 2014, 2017 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -13,9 +13,12 @@
 import java.beans.EventHandler;
 
 import com.thoughtworks.xstream.XStreamException;
+import com.thoughtworks.xstream.converters.ConversionException;
 import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
+import com.thoughtworks.xstream.security.ForbiddenClassException;
 import com.thoughtworks.xstream.security.ProxyTypePermission;
 
+
 /**
  * @author J&ouml;rg Schaible
  */
@@ -80,4 +83,23 @@ public void exec() {
             BUFFER.append("Executed!");
         }
     }
+
+    public void testDeniedInstanceOfVoid() {
+        try {
+            xstream.fromXML("<void/>");
+            fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
+        } catch (final ForbiddenClassException e) {
+            // OK
+        }
+    }
+
+    public void testAllowedInstanceOfVoid() {
+        xstream.allowTypes(void.class, Void.class);
+        try {
+            xstream.fromXML("<void/>");
+            fail("Thrown " + ConversionException.class.getName() + " expected");
+        } catch (final ConversionException e) {
+            assertEquals("void", e.get("construction-type"));
+        }
+    }
 }