diff --git a/core/src/main/java/hudson/util/XStream2.java b/core/src/main/java/hudson/util/XStream2.java index bfe924e70ab2969956f52b41b13c3facb5a16660..9a514b344973cb6b172d8cce4cf89b70727ab408 100644 --- a/core/src/main/java/hudson/util/XStream2.java +++ b/core/src/main/java/hudson/util/XStream2.java @@ -145,6 +145,9 @@ public class XStream2 extends XStream { // list up types that should be marshalled out like a value, without referential integrity tracking. addImmutableType(Result.class); + // http://www.openwall.com/lists/oss-security/2017/04/03/4 + denyTypes(new Class[] { void.class, Void.class }); + registerConverter(new RobustCollectionConverter(getMapper(),getReflectionProvider()),10); registerConverter(new RobustMapConverter(getMapper()), 10); registerConverter(new ImmutableMapConverter(getMapper(),getReflectionProvider()),10); diff --git a/core/src/test/java/hudson/util/XStream2Test.java b/core/src/test/java/hudson/util/XStream2Test.java index aeb781f6725f722f966c81734c5921ec09de583f..08170e24d4ad89afaddef5f875f45ad6169ae0e3 100644 --- a/core/src/test/java/hudson/util/XStream2Test.java +++ b/core/src/test/java/hudson/util/XStream2Test.java @@ -28,6 +28,7 @@ import static org.junit.Assert.*; import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableMap; import com.thoughtworks.xstream.XStreamException; +import com.thoughtworks.xstream.security.ForbiddenClassException; import hudson.XmlFile; import hudson.model.Result; import hudson.model.Run; @@ -296,4 +297,15 @@ public class XStream2Test { assertEquals("3.2.1", XStream2.trimVersion("3.2.1")); assertEquals("3.2-SNAPSHOT", XStream2.trimVersion("3.2-SNAPSHOT (private-09/23/2012 12:26-jhacker)")); } + + @Issue("SECURITY-503") + @Test + public void crashXstream() throws Exception { + try { + new XStream2().fromXML(""); + fail("expected to throw ForbiddenClassException, but why are we still alive?"); + } catch (ForbiddenClassException ex) { + // pass + } + } }