[FIXED SECURITY-105] Disabling DynamicProxyConverter.

d030fbba · Jesse Glick · 7541e83c · d030fbba · d030fbba
Showing with 27 addition and 0 deletion

core/src/main/java/hudson/util/XStream2.java core/src/main/java/hudson/util/XStream2.java +11 -0

core/src/test/java/hudson/util/XStream2Test.java core/src/test/java/hudson/util/XStream2Test.java +16 -0

未找到文件。
--- a/core/src/main/java/hudson/util/XStream2.java
+++ b/core/src/main/java/hudson/util/XStream2.java
@@ -29,6 +29,7 @@ import com.thoughtworks.xstream.XStream;
 import com.thoughtworks.xstream.mapper.AnnotationMapper;
 import com.thoughtworks.xstream.mapper.Mapper;
 import com.thoughtworks.xstream.mapper.MapperWrapper;
+import com.thoughtworks.xstream.converters.ConversionException;
 import com.thoughtworks.xstream.converters.Converter;
 import com.thoughtworks.xstream.converters.ConverterMatcher;
 import com.thoughtworks.xstream.converters.DataHolder;
@@ -36,6 +37,7 @@ import com.thoughtworks.xstream.converters.MarshallingContext;
 import com.thoughtworks.xstream.converters.SingleValueConverter;
 import com.thoughtworks.xstream.converters.SingleValueConverterWrapper;
 import com.thoughtworks.xstream.converters.UnmarshallingContext;
+import com.thoughtworks.xstream.converters.extended.DynamicProxyConverter;
 import com.thoughtworks.xstream.core.JVM;
 import com.thoughtworks.xstream.io.HierarchicalStreamDriver;
 import com.thoughtworks.xstream.io.HierarchicalStreamReader;
@@ -155,6 +157,15 @@ public class XStream2 extends XStream {
        // this should come after all the XStream's default simpler converters,
        // but before reflection-based one kicks in.
        registerConverter(new AssociatedConverterImpl(this), -10);
+
+        registerConverter(new DynamicProxyConverter(getMapper()) { // SECURITY-105 defense
+            @Override public boolean canConvert(Class type) {
+                return /* this precedes NullConverter */ type != null && super.canConvert(type);
+            }
+            @Override public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
+                throw new ConversionException("<dynamic-proxy> not supported");
+            }
+        }, PRIORITY_VERY_HIGH);
    }

    @Override

--- a/core/src/test/java/hudson/util/XStream2Test.java
+++ b/core/src/test/java/hudson/util/XStream2Test.java
@@ -25,6 +25,7 @@ package hudson.util;

 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
+import com.thoughtworks.xstream.XStreamException;
 import hudson.XmlFile;
 import hudson.matrix.MatrixRun;
 import hudson.model.Result;
@@ -312,6 +313,21 @@ public class XStream2Test extends TestCase {
        assertEquals("def",map.m.get("abc"));
    }

+    public void testDynamicProxyBlocked() throws Exception { // SECURITY-105
+        try {
+            ((Runnable) new XStream2().fromXML("<dynamic-proxy><interface>java.lang.Runnable</interface><handler class='java.beans.EventHandler'><target class='" + Hacked.class.getName() + "'/><action>oops</action></handler></dynamic-proxy>")).run();
+        } catch (XStreamException x) {
+            // good
+        }
+        assertFalse("should never have run that", Hacked.tripped);
+    }
+    public static final class Hacked {
+        static boolean tripped;
+        public void oops() {
+            tripped = true;
+        }
+    }
+
    public void testTrimVersion() throws Exception {
        assertEquals("3.2", XStream2.trimVersion("3.2"));
        assertEquals("3.2.1", XStream2.trimVersion("3.2.1"));