Hi Felix, Can we fix it without breaking existing plugins ? Let's start fixing it if you have time and idea.
Thanks Regards On Sun, Jul 23, 2017 at 4:50 PM, Felix Schumacher < felix.schumac...@internetallee.de> wrote: > Am 23.07.2017 um 16:24 schrieb pmoua...@apache.org: > >> Author: pmouawad >> Date: Sun Jul 23 14:24:36 2017 >> New Revision: 1802731 >> >> URL: http://svn.apache.org/viewvc?rev=1802731&view=rev >> Log: >> Bug 61329 - Warning on console "Security framework of XStream not >> initialized, XStream is probably vulnerable." >> Bugzilla Id: 61329 >> >> Modified: >> jmeter/trunk/src/core/org/apache/jmeter/gui/action/template >> /TemplateManager.java >> jmeter/trunk/src/core/org/apache/jmeter/save/SaveService.java >> jmeter/trunk/src/core/org/apache/jmeter/util/JMeterUtils.java >> jmeter/trunk/src/protocol/jms/org/apache/jmeter/ >> protocol/jms/sampler/render/ObjectMessageRenderer.java >> >> Modified: jmeter/trunk/src/core/org/apache/jmeter/gui/action/template/ >> TemplateManager.java >> URL: http://svn.apache.org/viewvc/jmeter/trunk/src/core/org/apach >> e/jmeter/gui/action/template/TemplateManager.java?rev= >> 1802731&r1=1802730&r2=1802731&view=diff >> ============================================================ >> ================== >> --- >> jmeter/trunk/src/core/org/apache/jmeter/gui/action/template/TemplateManager.java >> (original) >> +++ >> jmeter/trunk/src/core/org/apache/jmeter/gui/action/template/TemplateManager.java >> Sun Jul 23 14:24:36 2017 >> @@ -87,6 +87,7 @@ public class TemplateManager { >> return factory; >> } >> }); >> + JMeterUtils.setupXStreamSecurityPolicy(xstream); >> xstream.alias("template", Template.class); >> xstream.alias("templates", Templates.class); >> xstream.useAttributeFor(Template.class, "isTestPlan"); >> >> Modified: jmeter/trunk/src/core/org/apache/jmeter/save/SaveService.java >> URL: http://svn.apache.org/viewvc/jmeter/trunk/src/core/org/apach >> e/jmeter/save/SaveService.java?rev=1802731&r1=1802730& >> r2=1802731&view=diff >> ============================================================ >> ================== >> --- jmeter/trunk/src/core/org/apache/jmeter/save/SaveService.java >> (original) >> +++ jmeter/trunk/src/core/org/apache/jmeter/save/SaveService.java Sun >> Jul 23 14:24:36 2017 >> @@ -114,6 +114,8 @@ public class SaveService { >> private static final XStream JTLSAVER = new XStreamWrapper(new >> PureJavaReflectionProvider()); >> static { >> JTLSAVER.setMode(XStream.NO_REFERENCES); // This is needed to >> stop XStream keeping copies of each class >> + JMeterUtils.setupXStreamSecurityPolicy(JMXSAVER); >> + JMeterUtils.setupXStreamSecurityPolicy(JTLSAVER); >> } >> // The XML header, with placeholder for encoding, since that is >> controlled by property >> >> Modified: jmeter/trunk/src/core/org/apache/jmeter/util/JMeterUtils.java >> URL: http://svn.apache.org/viewvc/jmeter/trunk/src/core/org/apach >> e/jmeter/util/JMeterUtils.java?rev=1802731&r1=1802730& >> r2=1802731&view=diff >> ============================================================ >> ================== >> --- jmeter/trunk/src/core/org/apache/jmeter/util/JMeterUtils.java >> (original) >> +++ jmeter/trunk/src/core/org/apache/jmeter/util/JMeterUtils.java Sun >> Jul 23 14:24:36 2017 >> @@ -69,6 +69,10 @@ import org.apache.oro.text.regex.Perl5Ma >> import org.slf4j.Logger; >> import org.slf4j.LoggerFactory; >> +import com.thoughtworks.xstream.XStream; >> +import com.thoughtworks.xstream.security.AnyTypePermission; >> +import com.thoughtworks.xstream.security.NoTypePermission; >> + >> /** >> * This class contains the static utility methods used by JMeter. >> * >> @@ -1250,4 +1254,17 @@ public class JMeterUtils implements Unit >> } >> } >> } >> + >> + /** >> + * Setup default security policy >> + * @param xstream {@link XStream} >> + */ >> + public static void setupXStreamSecurityPolicy(XStream xstream) { >> + // This will lift the insecure warning >> + xstream.addPermission(NoTypePermission.NONE); >> + // We reapply very permissive policy >> + // See https://groups.google.com/foru >> m/#!topic/xstream-user/wiKfdJPL8aY >> + // TODO : How much are we concerned by CVE-2013-7285 >> > Instead of adding another TODO, maybe we should address it right now. The > demos to exploit the framework are easily found and are a threat for users > downloading sample jmx files. Another vector of attack would be a someone > modifying/producing bad content in the networked client setup. > > I think we should go for a relatively strict setup with a regex > white-list, that users can adapt. > > Felix > > > + xstream.addPermission(AnyTypePermission.ANY); >> + } >> } >> >> Modified: jmeter/trunk/src/protocol/jms/org/apache/jmeter/protocol/jms >> /sampler/render/ObjectMessageRenderer.java >> URL: http://svn.apache.org/viewvc/jmeter/trunk/src/protocol/jms/o >> rg/apache/jmeter/protocol/jms/sampler/render/ObjectMessageRe >> nderer.java?rev=1802731&r1=1802730&r2=1802731&view=diff >> ============================================================ >> ================== >> --- jmeter/trunk/src/protocol/jms/org/apache/jmeter/protocol/jms >> /sampler/render/ObjectMessageRenderer.java (original) >> +++ jmeter/trunk/src/protocol/jms/org/apache/jmeter/protocol/jms >> /sampler/render/ObjectMessageRenderer.java Sun Jul 23 14:24:36 2017 >> @@ -29,6 +29,7 @@ import javax.xml.stream.XMLStreamExcepti >> import javax.xml.stream.XMLStreamReader; >> import org.apache.jmeter.protocol.jms.sampler.PublisherSampler; >> +import org.apache.jmeter.util.JMeterUtils; >> import com.github.benmanes.caffeine.cache.Cache; >> import com.thoughtworks.xstream.XStream; >> @@ -66,6 +67,7 @@ class ObjectMessageRenderer implements M >> Serializable readObject = null; >> try { >> XStream xstream = new XStream(); >> + JMeterUtils.setupXStreamSecurityPolicy(xstream); >> readObject = (Serializable) xstream.fromXML(xmlMessage, >> readObject); >> } catch (Exception e) { >> throw new IllegalStateException("Unable to load object >> instance from text", e); >> >> >> > -- Cordialement. Philippe Mouawad.
