Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix 454 #472

Merged
merged 5 commits into from
Nov 1, 2018
Merged

Fix 454 #472

merged 5 commits into from
Nov 1, 2018

Conversation

rygel
Copy link
Member

@rygel rygel commented Oct 29, 2018

This is my take on fixing this bug. I've added regular expression parsing and re-using WhitelistObjectInputStream.

@rygel
Copy link
Member Author

rygel commented Oct 29, 2018

@decebals Please don't merge the commit cc69274. This is unfinished and should not be part of this branch.

Copy link
Member Author

@rygel rygel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes should not be part of this branch. Sorry.

@coveralls
Copy link

coveralls commented Oct 29, 2018

Pull Request Test Coverage Report for Build 1025

  • 0 of 14 (0.0%) changed or added relevant lines in 2 files are covered.
  • 1 unchanged line in 1 file lost coverage.
  • Overall coverage decreased (-0.04%) to 21.564%

Changes Missing Coverage Covered Lines Changed/Added Lines %
pippo-content-type-parent/pippo-xstream/src/main/java/ro/pippo/xstream/XstreamEngine.java 0 2 0.0%
pippo-core/src/main/java/ro/pippo/core/util/WhitelistObjectInputStream.java 0 12 0.0%
Files with Coverage Reduction New Missed Lines %
pippo-content-type-parent/pippo-xstream/src/main/java/ro/pippo/xstream/XstreamEngine.java 1 0.0%
Totals Coverage Status
Change from base Build 1022: -0.04%
Covered Lines: 1384
Relevant Lines: 6418

💛 - Coveralls

@mhagnumdw
Copy link
Member

@rygel

@decebals Please don't merge the commit cc69274. This is unfinished and should not be part of this branch.

It may be better to remove the commit from your branch, so we avoid undue merge.

I will do again the review I did in closed PR #471

@rygel
Copy link
Member Author

rygel commented Oct 29, 2018

@mhagnumdw The last commit should have fixed this now.
Thank you for doing your review!

@decebals decebals merged commit 0b889ec into pippo-java:master Nov 1, 2018
@decebals
Copy link
Member

decebals commented Nov 1, 2018

@rygel
Thanks! I will come with small changes (polishing) because I don't want to bother you with trivial change requests.

decebals added a commit that referenced this pull request Nov 1, 2018
@decebals
Copy link
Member

decebals commented Nov 1, 2018

I made the modifications.
Maybe now this aspect with security and deserialize is a little bit paranoiac 😄.
I don't have a Pippo application with XStream to see if something works.

@decebals
Copy link
Member

decebals commented Nov 1, 2018

I modified the pippo-demo-basic, to use xstream instead of jackson (add pippo-xstream dependency in front of of pippo-jackson)

<dependency>
    <groupId>ro.pippo</groupId>
    <artifactId>pippo-xstream</artifactId>
    <version>${pippo.version}</version>
</dependency>

<dependency>
    <groupId>ro.pippo</groupId>
    <artifactId>pippo-jackson</artifactId>
    <version>${pippo.version}</version>
</dependency>

and I see that http://localhost:8338/xml works but my expectation was to not work, because Contact class is not in whitelist.
On the other part, to add each domain class (Contact in demo) in WhitelistObjectInputStream seems (maybe) to a little bit too much (in my opinion). Or maybe it's the normal workflow if you want a secure application. In the end you can use the regex to add all your domain classes (ro.pippo.demo.* in demo case).

@rygel rygel deleted the fix_454 branch November 1, 2018 21:58
@rygel rygel restored the fix_454 branch November 1, 2018 22:01
@rygel
Copy link
Member Author

rygel commented Nov 1, 2018

I modified the pippo-demo-basic, to use xstream instead of jackson (add pippo-xstream dependency in front of of pippo-jackson)
and I see that http://localhost:8338/xml works but my expectation was to not work, because Contact class is not in whitelist.

@decebals So no exception has been thrown? I just checked the XStream documentation (http://x-stream.github.io/security.html) and I think I forgot a crucial part, while working on the fix.

// clear out existing permissions and set own ones
xstream.addPermission(NoTypePermission.NONE);

I think XStream already is setup with some default permissions and to get the highest securit thoe have to be cleared first, before adding the own/new ones. Sorry for my oversight. I created a new PR for this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants