This is an automated email from the ASF dual-hosted git repository. vladimirsitnikov pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/jmeter.git
commit 7a729c5cbe760051a841862c080c11949260617d Author: Vladimir Sitnikov <[email protected]> AuthorDate: Fri Oct 31 20:46:51 2025 +0300 chore: add PureJavaReflectionProvider to XStream constructor It might help to prevent XStream Unsafe usage --- src/core/src/main/java/org/apache/jmeter/util/JMeterUtils.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/core/src/main/java/org/apache/jmeter/util/JMeterUtils.java b/src/core/src/main/java/org/apache/jmeter/util/JMeterUtils.java index e5d22a318b..816f2553f7 100644 --- a/src/core/src/main/java/org/apache/jmeter/util/JMeterUtils.java +++ b/src/core/src/main/java/org/apache/jmeter/util/JMeterUtils.java @@ -80,6 +80,7 @@ import org.slf4j.LoggerFactory; import com.github.benmanes.caffeine.cache.Caffeine; import com.github.benmanes.caffeine.cache.LoadingCache; import com.thoughtworks.xstream.XStream; +import com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider; import com.thoughtworks.xstream.security.AnyTypePermission; import com.thoughtworks.xstream.security.NoTypePermission; @@ -1416,7 +1417,7 @@ public class JMeterUtils implements UnitTestManager { * @return {@link XStream} XStream instance following JMeter security policy */ public static final XStream createXStream() { - XStream xstream = new XStream(); + XStream xstream = new XStream(new PureJavaReflectionProvider()); JMeterUtils.setupXStreamSecurityPolicy(xstream); return xstream; }
