Author: pmouawad Date: Sun Jul 23 14:24:36 2017 New Revision: 1802731 URL: http://svn.apache.org/viewvc?rev=1802731&view=rev Log: Bug 61329 - Warning on console "Security framework of XStream not initialized, XStream is probably vulnerable." Bugzilla Id: 61329
Modified: jmeter/trunk/src/core/org/apache/jmeter/gui/action/template/TemplateManager.java jmeter/trunk/src/core/org/apache/jmeter/save/SaveService.java jmeter/trunk/src/core/org/apache/jmeter/util/JMeterUtils.java jmeter/trunk/src/protocol/jms/org/apache/jmeter/protocol/jms/sampler/render/ObjectMessageRenderer.java Modified: jmeter/trunk/src/core/org/apache/jmeter/gui/action/template/TemplateManager.java URL: http://svn.apache.org/viewvc/jmeter/trunk/src/core/org/apache/jmeter/gui/action/template/TemplateManager.java?rev=1802731&r1=1802730&r2=1802731&view=diff ============================================================================== --- jmeter/trunk/src/core/org/apache/jmeter/gui/action/template/TemplateManager.java (original) +++ jmeter/trunk/src/core/org/apache/jmeter/gui/action/template/TemplateManager.java Sun Jul 23 14:24:36 2017 @@ -87,6 +87,7 @@ public class TemplateManager { return factory; } }); + JMeterUtils.setupXStreamSecurityPolicy(xstream); xstream.alias("template", Template.class); xstream.alias("templates", Templates.class); xstream.useAttributeFor(Template.class, "isTestPlan"); Modified: jmeter/trunk/src/core/org/apache/jmeter/save/SaveService.java URL: http://svn.apache.org/viewvc/jmeter/trunk/src/core/org/apache/jmeter/save/SaveService.java?rev=1802731&r1=1802730&r2=1802731&view=diff ============================================================================== --- jmeter/trunk/src/core/org/apache/jmeter/save/SaveService.java (original) +++ jmeter/trunk/src/core/org/apache/jmeter/save/SaveService.java Sun Jul 23 14:24:36 2017 @@ -114,6 +114,8 @@ public class SaveService { private static final XStream JTLSAVER = new XStreamWrapper(new PureJavaReflectionProvider()); static { JTLSAVER.setMode(XStream.NO_REFERENCES); // This is needed to stop XStream keeping copies of each class + JMeterUtils.setupXStreamSecurityPolicy(JMXSAVER); + JMeterUtils.setupXStreamSecurityPolicy(JTLSAVER); } // The XML header, with placeholder for encoding, since that is controlled by property Modified: jmeter/trunk/src/core/org/apache/jmeter/util/JMeterUtils.java URL: http://svn.apache.org/viewvc/jmeter/trunk/src/core/org/apache/jmeter/util/JMeterUtils.java?rev=1802731&r1=1802730&r2=1802731&view=diff ============================================================================== --- jmeter/trunk/src/core/org/apache/jmeter/util/JMeterUtils.java (original) +++ jmeter/trunk/src/core/org/apache/jmeter/util/JMeterUtils.java Sun Jul 23 14:24:36 2017 @@ -69,6 +69,10 @@ import org.apache.oro.text.regex.Perl5Ma import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import com.thoughtworks.xstream.XStream; +import com.thoughtworks.xstream.security.AnyTypePermission; +import com.thoughtworks.xstream.security.NoTypePermission; + /** * This class contains the static utility methods used by JMeter. * @@ -1250,4 +1254,17 @@ public class JMeterUtils implements Unit } } } + + /** + * Setup default security policy + * @param xstream {@link XStream} + */ + public static void setupXStreamSecurityPolicy(XStream xstream) { + // This will lift the insecure warning + xstream.addPermission(NoTypePermission.NONE); + // We reapply very permissive policy + // See https://groups.google.com/forum/#!topic/xstream-user/wiKfdJPL8aY + // TODO : How much are we concerned by CVE-2013-7285 + xstream.addPermission(AnyTypePermission.ANY); + } } Modified: jmeter/trunk/src/protocol/jms/org/apache/jmeter/protocol/jms/sampler/render/ObjectMessageRenderer.java URL: http://svn.apache.org/viewvc/jmeter/trunk/src/protocol/jms/org/apache/jmeter/protocol/jms/sampler/render/ObjectMessageRenderer.java?rev=1802731&r1=1802730&r2=1802731&view=diff ============================================================================== --- jmeter/trunk/src/protocol/jms/org/apache/jmeter/protocol/jms/sampler/render/ObjectMessageRenderer.java (original) +++ jmeter/trunk/src/protocol/jms/org/apache/jmeter/protocol/jms/sampler/render/ObjectMessageRenderer.java Sun Jul 23 14:24:36 2017 @@ -29,6 +29,7 @@ import javax.xml.stream.XMLStreamExcepti import javax.xml.stream.XMLStreamReader; import org.apache.jmeter.protocol.jms.sampler.PublisherSampler; +import org.apache.jmeter.util.JMeterUtils; import com.github.benmanes.caffeine.cache.Cache; import com.thoughtworks.xstream.XStream; @@ -66,6 +67,7 @@ class ObjectMessageRenderer implements M Serializable readObject = null; try { XStream xstream = new XStream(); + JMeterUtils.setupXStreamSecurityPolicy(xstream); readObject = (Serializable) xstream.fromXML(xmlMessage, readObject); } catch (Exception e) { throw new IllegalStateException("Unable to load object instance from text", e);