Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
xxadev
jenkins
提交
d030fbba
J
jenkins
项目概览
xxadev
/
jenkins
与 Fork 源项目一致
从无法访问的项目Fork
通知
3
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jenkins
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
d030fbba
编写于
2月 12, 2014
作者:
J
Jesse Glick
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
[FIXED SECURITY-105] Disabling DynamicProxyConverter.
上级
7541e83c
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
27 addition
and
0 deletion
+27
-0
core/src/main/java/hudson/util/XStream2.java
core/src/main/java/hudson/util/XStream2.java
+11
-0
core/src/test/java/hudson/util/XStream2Test.java
core/src/test/java/hudson/util/XStream2Test.java
+16
-0
未找到文件。
core/src/main/java/hudson/util/XStream2.java
浏览文件 @
d030fbba
...
...
@@ -29,6 +29,7 @@ import com.thoughtworks.xstream.XStream;
import
com.thoughtworks.xstream.mapper.AnnotationMapper
;
import
com.thoughtworks.xstream.mapper.Mapper
;
import
com.thoughtworks.xstream.mapper.MapperWrapper
;
import
com.thoughtworks.xstream.converters.ConversionException
;
import
com.thoughtworks.xstream.converters.Converter
;
import
com.thoughtworks.xstream.converters.ConverterMatcher
;
import
com.thoughtworks.xstream.converters.DataHolder
;
...
...
@@ -36,6 +37,7 @@ import com.thoughtworks.xstream.converters.MarshallingContext;
import
com.thoughtworks.xstream.converters.SingleValueConverter
;
import
com.thoughtworks.xstream.converters.SingleValueConverterWrapper
;
import
com.thoughtworks.xstream.converters.UnmarshallingContext
;
import
com.thoughtworks.xstream.converters.extended.DynamicProxyConverter
;
import
com.thoughtworks.xstream.core.JVM
;
import
com.thoughtworks.xstream.io.HierarchicalStreamDriver
;
import
com.thoughtworks.xstream.io.HierarchicalStreamReader
;
...
...
@@ -155,6 +157,15 @@ public class XStream2 extends XStream {
// this should come after all the XStream's default simpler converters,
// but before reflection-based one kicks in.
registerConverter
(
new
AssociatedConverterImpl
(
this
),
-
10
);
registerConverter
(
new
DynamicProxyConverter
(
getMapper
())
{
// SECURITY-105 defense
@Override
public
boolean
canConvert
(
Class
type
)
{
return
/* this precedes NullConverter */
type
!=
null
&&
super
.
canConvert
(
type
);
}
@Override
public
Object
unmarshal
(
HierarchicalStreamReader
reader
,
UnmarshallingContext
context
)
{
throw
new
ConversionException
(
"<dynamic-proxy> not supported"
);
}
},
PRIORITY_VERY_HIGH
);
}
@Override
...
...
core/src/test/java/hudson/util/XStream2Test.java
浏览文件 @
d030fbba
...
...
@@ -25,6 +25,7 @@ package hudson.util;
import
com.google.common.collect.ImmutableList
;
import
com.google.common.collect.ImmutableMap
;
import
com.thoughtworks.xstream.XStreamException
;
import
hudson.XmlFile
;
import
hudson.matrix.MatrixRun
;
import
hudson.model.Result
;
...
...
@@ -312,6 +313,21 @@ public class XStream2Test extends TestCase {
assertEquals
(
"def"
,
map
.
m
.
get
(
"abc"
));
}
public
void
testDynamicProxyBlocked
()
throws
Exception
{
// SECURITY-105
try
{
((
Runnable
)
new
XStream2
().
fromXML
(
"<dynamic-proxy><interface>java.lang.Runnable</interface><handler class='java.beans.EventHandler'><target class='"
+
Hacked
.
class
.
getName
()
+
"'/><action>oops</action></handler></dynamic-proxy>"
)).
run
();
}
catch
(
XStreamException
x
)
{
// good
}
assertFalse
(
"should never have run that"
,
Hacked
.
tripped
);
}
public
static
final
class
Hacked
{
static
boolean
tripped
;
public
void
oops
()
{
tripped
=
true
;
}
}
public
void
testTrimVersion
()
throws
Exception
{
assertEquals
(
"3.2"
,
XStream2
.
trimVersion
(
"3.2"
));
assertEquals
(
"3.2.1"
,
XStream2
.
trimVersion
(
"3.2.1"
));
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录