protected void setupSecurity() { if (securityMapper == null) { return; } addPermission(AnyTypePermission.ANY); securityInitialized = false; }
/** * Add security permission denying another one. * * @param permission the permission to deny * @since 1.4.7 */ public void denyPermission(TypePermission permission) { addPermission(new NoPermission(permission)); }
/** * Add security permission for explicit types. * * @param types the types to allow * @since 1.4.7 */ public void allowTypes(Class[] types) { addPermission(new ExplicitTypePermission(types)); }
/** * Add security permission for explicit types by name. * * @param names the type names to allow * @since 1.4.7 */ public void allowTypes(String[] names) { addPermission(new ExplicitTypePermission(names)); }
/** * Add security permission for a type hierarchy. * * @param type the base type to allow * @since 1.4.7 */ public void allowTypeHierarchy(Class type) { addPermission(new TypeHierarchyPermission(type)); }
/** * Add security permission for types matching one of the specified regular expressions. * * @param regexps the regular expressions to allow type names * @since 1.4.7 */ public void allowTypesByRegExp(String[] regexps) { addPermission(new RegExpTypePermission(regexps)); }
/** * Add security permission for types matching one of the specified regular expressions. * * @param regexps the regular expressions to allow type names * @since 1.4.7 */ public void allowTypesByRegExp(Pattern[] regexps) { addPermission(new RegExpTypePermission(regexps)); }
/** * Add security permission for types matching one of the specified wildcard patterns. * <p> * Supported are patterns with path expressions using dot as separator: * </p> * <ul> * <li>?: one non-control character except separator, e.g. for 'java.net.Inet?Address'</li> * <li>*: arbitrary number of non-control characters except separator, e.g. for types in a package like 'java.lang.*'</li> * <li>**: arbitrary number of non-control characters including separator, e.g. for types in a package and subpackages like 'java.lang.**'</li> * </ul> * * @param patterns the patterns to allow type names * @since 1.4.7 */ public void allowTypesByWildcard(String[] patterns) { addPermission(new WildcardTypePermission(patterns)); }
static Object readFromXml(InputStream bufferedInput) throws IOException { final XStream xstream = createXStream(false); // see http://x-stream.github.io/security.html // clear out existing permissions and set own ones xstream.addPermission(NoTypePermission.NONE); // allow some basics xstream.addPermission(NullPermission.NULL); xstream.addPermission(PrimitiveTypePermission.PRIMITIVES); xstream.allowTypesByWildcard( new String[] { "java.lang.*", "java.util.*", "java.util.concurrent.*" }); // allow any type from the same package xstream.allowTypesByWildcard(new String[] { PACKAGE_NAME + ".*" }); final InputStreamReader reader = new InputStreamReader(bufferedInput, XML_CHARSET_NAME); try { return xstream.fromXML(reader); } finally { reader.close(); } }
public static XStream getInstance() { XStream xstream = new XStream(new XppDriver() { @Override public HierarchicalStreamWriter createWriter(Writer out) { return new PrettyPrintWriter(out, getNameCoder()) { protected String PREFIX_CDATA = "<![CDATA["; protected String SUFFIX_CDATA = "]]>"; protected String PREFIX_MEDIA_ID = "<MediaId>"; protected String SUFFIX_MEDIA_ID = "</MediaId>"; @Override protected void writeText(QuickWriter writer, String text) { if (text.startsWith(PREFIX_CDATA) && text.endsWith(SUFFIX_CDATA)) { writer.write(text); } else if (text.startsWith(PREFIX_MEDIA_ID) && text.endsWith(SUFFIX_MEDIA_ID)) { writer.write(text); } else { super.writeText(writer, text); } } }; } }); xstream.ignoreUnknownElements(); xstream.setMode(XStream.NO_REFERENCES); xstream.addPermission(NullPermission.NULL); xstream.addPermission(PrimitiveTypePermission.PRIMITIVES); return xstream; }
private XStream getXStream() { XStream xstream = createXStream(); if (classLoader != null) { xstream.setClassLoader(classLoader); if (classLoader instanceof ProjectClassLoader ) { Map<String, byte[]> store = ((ProjectClassLoader) classLoader).getStore(); if (store != null) { String[] classes = store.keySet().stream() .map( s -> s.replace( '/', '.' ) ) .map( s -> s.endsWith( ".class" ) ? s.substring( 0, s.length() - ".class".length() ) : s ) .toArray( String[]::new ); xstream.addPermission( new ExplicitTypePermission( classes ) ); } } } return xstream; }
public XStreamSolutionFileIO(Class... xStreamAnnotatedClasses) { xStream = new XStream(); xStream.setMode(XStream.ID_REFERENCES); xStream.processAnnotations(xStreamAnnotatedClasses); XStream.setupDefaultSecurity(xStream); // Presume the XML file comes from a trusted source so it works out of the box. See class javadoc. xStream.addPermission(new AnyTypePermission()); }
XStream.setupDefaultSecurity(outer); for(int i = 0; i < permissions.length; ++i) { outer.addPermission(permissions[i]);
public static <T> T serializeAndDeserializeWithXStream(T input) { XStream xStream = new XStream(); xStream.setMode(XStream.ID_REFERENCES); if (input != null) { xStream.processAnnotations(input.getClass()); } XStream.setupDefaultSecurity(xStream); xStream.addPermission(new AnyTypePermission()); String xmlString = xStream.toXML(input); return (T) xStream.fromXML(xmlString); }
xstream.addPermission(NoTypePermission.NONE); xstream.addPermission(NullPermission.NULL); xstream.addPermission(PrimitiveTypePermission.PRIMITIVES); xstream.addPermission(ArrayTypePermission.ARRAYS); xstream.addPermission(InterfaceTypePermission.INTERFACES); xstream.allowTypeHierarchy(Calendar.class); xstream.allowTypeHierarchy(Collection.class);
/** * Add security permission for explicit types. * * @param types the types to allow * @since 1.4.7 */ public void allowTypes(final Class<?>... types) { addPermission(new ExplicitTypePermission(types)); }
/** * Add security permission denying another one. * * @param permission the permission to deny * @since 1.4.7 */ public void denyPermission(final TypePermission permission) { addPermission(new NoPermission(permission)); }
/** * Add security permission for a type hierarchy. * * @param type the base type to allow * @since 1.4.7 */ public void allowTypeHierarchy(final Class<?> type) { addPermission(new TypeHierarchyPermission(type)); }
/** * Add security permission for types matching one of the specified regular expressions. * * @param regexps the regular expressions to allow type names * @since 1.4.7 */ public void allowTypesByRegExp(final Pattern... regexps) { addPermission(new RegExpTypePermission(regexps)); }
/** * Add security permission for types matching one of the specified regular expressions. * * @param regexps the regular expressions to allow type names * @since 1.4.7 */ public void allowTypesByRegExp(final String... regexps) { addPermission(new RegExpTypePermission(regexps)); }