/** * Add security permission forbidding types matching one of the specified wildcard patterns. * <p> * Supported are patterns with path expressions using dot as separator: * </p> * <ul> * <li>?: one non-control character except separator, e.g. for 'java.net.Inet?Address'</li> * <li>*: arbitrary number of non-control characters except separator, e.g. for types in a package like 'java.lang.*'</li> * <li>**: arbitrary number of non-control characters including separator, e.g. for types in a package and subpackages like 'java.lang.**'</li> * </ul> * * @param patterns the patterns to forbid names * @since 1.4.7 */ public void denyTypesByWildcard(String[] patterns) { denyPermission(new WildcardTypePermission(patterns)); }
/** * Add security permission for types matching one of the specified wildcard patterns. * <p> * Supported are patterns with path expressions using dot as separator: * </p> * <ul> * <li>?: one non-control character except separator, e.g. for 'java.net.Inet?Address'</li> * <li>*: arbitrary number of non-control characters except separator, e.g. for types in a package like 'java.lang.*'</li> * <li>**: arbitrary number of non-control characters including separator, e.g. for types in a package and subpackages like 'java.lang.**'</li> * </ul> * * @param patterns the patterns to allow type names * @since 1.4.7 */ public void allowTypesByWildcard(String[] patterns) { addPermission(new WildcardTypePermission(patterns)); }
/** * Add security permission forbidding types matching one of the specified wildcard patterns. * <p> * Supported are patterns with path expressions using dot as separator: * </p> * <ul> * <li>?: one non-control character except separator, e.g. for 'java.net.Inet?Address'</li> * <li>*: arbitrary number of non-control characters except separator, e.g. for types in a package like 'java.lang.*'</li> * <li>**: arbitrary number of non-control characters including separator, e.g. for types in a package and subpackages like 'java.lang.**'</li> * </ul> * * @param patterns the patterns to forbid names * @since 1.4.7 */ public void denyTypesByWildcard(String[] patterns) { denyPermission(new WildcardTypePermission(patterns)); }
/** * Add security permission for types matching one of the specified wildcard patterns. * <p> * Supported are patterns with path expressions using dot as separator: * </p> * <ul> * <li>?: one non-control character except separator, e.g. for 'java.net.Inet?Address'</li> * <li>*: arbitrary number of non-control characters except separator, e.g. for types in a package like 'java.lang.*'</li> * <li>**: arbitrary number of non-control characters including separator, e.g. for types in a package and subpackages like 'java.lang.**'</li> * </ul> * * @param patterns the patterns to allow type names * @since 1.4.7 */ public void allowTypesByWildcard(String[] patterns) { addPermission(new WildcardTypePermission(patterns)); }
/** * Add security permission for types matching one of the specified wildcard patterns. * <p> * Supported are patterns with path expressions using dot as separator: * </p> * <ul> * <li>?: one non-control character except separator, e.g. for 'java.net.Inet?Address'</li> * <li>*: arbitrary number of non-control characters except separator, e.g. for types in a package like * 'java.lang.*'</li> * <li>**: arbitrary number of non-control characters including separator, e.g. for types in a package and * subpackages like 'java.lang.**'</li> * </ul> * * @param patterns the patterns to allow type names * @since 1.4.7 */ public void allowTypesByWildcard(final String... patterns) { addPermission(new WildcardTypePermission(patterns)); }
/** * Add security permission for types matching one of the specified wildcard patterns. * <p> * Supported are patterns with path expressions using dot as separator: * </p> * <ul> * <li>?: one non-control character except separator, e.g. for 'java.net.Inet?Address'</li> * <li>*: arbitrary number of non-control characters except separator, e.g. for types in a package like 'java.lang.*'</li> * <li>**: arbitrary number of non-control characters including separator, e.g. for types in a package and subpackages like 'java.lang.**'</li> * </ul> * * @param patterns the patterns to allow type names * @since 1.4.7 */ public void allowTypesByWildcard(String[] patterns) { addPermission(new WildcardTypePermission(patterns)); }
/** * Add security permission forbidding types matching one of the specified wildcard patterns. * <p> * Supported are patterns with path expressions using dot as separator: * </p> * <ul> * <li>?: one non-control character except separator, e.g. for 'java.net.Inet?Address'</li> * <li>*: arbitrary number of non-control characters except separator, e.g. for types in a package like 'java.lang.*'</li> * <li>**: arbitrary number of non-control characters including separator, e.g. for types in a package and subpackages like 'java.lang.**'</li> * </ul> * * @param patterns the patterns to forbid names * @since 1.4.7 */ public void denyTypesByWildcard(String[] patterns) { denyPermission(new WildcardTypePermission(patterns)); }
/** * Add security permission for types matching one of the specified wildcard patterns. * <p> * Supported are patterns with path expressions using dot as separator: * </p> * <ul> * <li>?: one non-control character except separator, e.g. for 'java.net.Inet?Address'</li> * <li>*: arbitrary number of non-control characters except separator, e.g. for types in a package like 'java.lang.*'</li> * <li>**: arbitrary number of non-control characters including separator, e.g. for types in a package and subpackages like 'java.lang.**'</li> * </ul> * * @param patterns the patterns to allow type names * @since 1.4.7 */ public void allowTypesByWildcard(String[] patterns) { addPermission(new WildcardTypePermission(patterns)); }
/** * Add security permission forbidding types matching one of the specified wildcard patterns. * <p> * Supported are patterns with path expressions using dot as separator: * </p> * <ul> * <li>?: one non-control character except separator, e.g. for 'java.net.Inet?Address'</li> * <li>*: arbitrary number of non-control characters except separator, e.g. for types in a package like 'java.lang.*'</li> * <li>**: arbitrary number of non-control characters including separator, e.g. for types in a package and subpackages like 'java.lang.**'</li> * </ul> * * @param patterns the patterns to forbid names * @since 1.4.7 */ public void denyTypesByWildcard(String[] patterns) { denyPermission(new WildcardTypePermission(patterns)); }
/** * Add security permission forbidding types matching one of the specified wildcard patterns. * <p> * Supported are patterns with path expressions using dot as separator: * </p> * <ul> * <li>?: one non-control character except separator, e.g. for 'java.net.Inet?Address'</li> * <li>*: arbitrary number of non-control characters except separator, e.g. for types in a package like * 'java.lang.*'</li> * <li>**: arbitrary number of non-control characters including separator, e.g. for types in a package and * subpackages like 'java.lang.**'</li> * </ul> * * @param patterns the patterns to forbid names * @since 1.4.7 */ public void denyTypesByWildcard(final String... patterns) { denyPermission(new WildcardTypePermission(patterns)); } }
/** * Vulnerable to CVE-210137285 variants. Do not use. Will be removed in the next few days! * @deprecated in favor of {@link #createTrustingXStream()} and {@link #createNonTrustingXStream()} */ @Deprecated private static XStream internalCreateXStream( XStream xstream ) { setupDefaultSecurity(xstream); xstream.addPermission( new WildcardTypePermission( new String[] { "java.**", "javax.**", "org.kie.**", "org.drools.**", "org.jbpm.**", "org.optaplanner.**", "org.appformer.**" } ) ); return xstream; }
} else if (pterm.length() > 0) { typePermission = new WildcardTypePermission(new String[]{pterm});
/** * Use for XML or JSON that might not come from a trusted source (such as REST services payloads, ...). * Automatically whitelists all classes with an {@link XStreamAlias} annotation. * Often requires whitelisting additional domain specific classes, which you'll need to expose in your API's. */ private static XStream internalCreateNonTrustingXStream( XStream xstream ) { setupDefaultSecurity(xstream); // TODO remove if setupDefaultSecurity already does this. // See comment in https://github.com/x-stream/xstream/pull/99 xstream.addPermission( new AnyAnnotationTypePermission()); xstream.addPermission( new WildcardTypePermission( WHITELISTED_PACKAGES ) ); // Do not add root permissions for "java", "org.kie" or the like here because that creates a security problem. // For more information, see http://x-stream.github.io/security.html and various xstream dev list conversations. // Instead, embrace a whitelist approach and expose that in your API's. return xstream; }
@Override protected void buildMarshaller(Set<Class<?>> classes, ClassLoader classLoader) { xstream = XStreamUtils.createNonTrustingXStream(new PureJavaReflectionProvider(), new DomDriver("UTF-8", new XmlFriendlyNameCoder("_-", "_"))); xstream.addPermission(new WildcardTypePermission(new String[]{"org.kie.server.api.**"})); String[] voidDeny = {"void.class", "Void.class"}; xstream.denyTypes(voidDeny); } };
xstream.addPermission(PrimitiveTypePermission.PRIMITIVES); xstream.addPermission(ArrayTypePermission.ARRAYS); xstream.addPermission(new WildcardTypePermission(new String[] {"java.**", "jgnash.engine.**"}));
xstream.addPermission(PrimitiveTypePermission.PRIMITIVES); xstream.addPermission(ArrayTypePermission.ARRAYS); xstream.addPermission(new WildcardTypePermission(new String[] {"java.**", "jgnash.engine.**"}));