jmeter-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Schumacher <felix.schumac...@internetallee.de>
Subject Re: svn commit: r1802731 - in /jmeter/trunk/src: core/org/apache/jmeter/gui/action/template/ core/org/apache/jmeter/save/ core/org/apache/jmeter/util/ protocol/jms/org/apache/jmeter/protocol/jms/sampler/render/
Date Sun, 23 Jul 2017 14:50:02 GMT
Am 23.07.2017 um 16:24 schrieb pmouawad@apache.org:
> Author: pmouawad
> Date: Sun Jul 23 14:24:36 2017
> New Revision: 1802731
>
> URL: http://svn.apache.org/viewvc?rev=1802731&view=rev
> Log:
> Bug 61329 - Warning on console "Security framework of XStream not initialized, XStream
is probably vulnerable."
> Bugzilla Id: 61329
>
> Modified:
>      jmeter/trunk/src/core/org/apache/jmeter/gui/action/template/TemplateManager.java
>      jmeter/trunk/src/core/org/apache/jmeter/save/SaveService.java
>      jmeter/trunk/src/core/org/apache/jmeter/util/JMeterUtils.java
>      jmeter/trunk/src/protocol/jms/org/apache/jmeter/protocol/jms/sampler/render/ObjectMessageRenderer.java
>
> Modified: jmeter/trunk/src/core/org/apache/jmeter/gui/action/template/TemplateManager.java
> URL: http://svn.apache.org/viewvc/jmeter/trunk/src/core/org/apache/jmeter/gui/action/template/TemplateManager.java?rev=1802731&r1=1802730&r2=1802731&view=diff
> ==============================================================================
> --- jmeter/trunk/src/core/org/apache/jmeter/gui/action/template/TemplateManager.java
(original)
> +++ jmeter/trunk/src/core/org/apache/jmeter/gui/action/template/TemplateManager.java
Sun Jul 23 14:24:36 2017
> @@ -87,6 +87,7 @@ public class TemplateManager {
>                   return factory;
>               }
>           });
> +        JMeterUtils.setupXStreamSecurityPolicy(xstream);
>           xstream.alias("template", Template.class);
>           xstream.alias("templates", Templates.class);
>           xstream.useAttributeFor(Template.class, "isTestPlan");
>
> Modified: jmeter/trunk/src/core/org/apache/jmeter/save/SaveService.java
> URL: http://svn.apache.org/viewvc/jmeter/trunk/src/core/org/apache/jmeter/save/SaveService.java?rev=1802731&r1=1802730&r2=1802731&view=diff
> ==============================================================================
> --- jmeter/trunk/src/core/org/apache/jmeter/save/SaveService.java (original)
> +++ jmeter/trunk/src/core/org/apache/jmeter/save/SaveService.java Sun Jul 23 14:24:36
2017
> @@ -114,6 +114,8 @@ public class SaveService {
>       private static final XStream JTLSAVER = new XStreamWrapper(new PureJavaReflectionProvider());
>       static {
>           JTLSAVER.setMode(XStream.NO_REFERENCES); // This is needed to stop XStream
keeping copies of each class
> +        JMeterUtils.setupXStreamSecurityPolicy(JMXSAVER);
> +        JMeterUtils.setupXStreamSecurityPolicy(JTLSAVER);
>       }
>   
>       // The XML header, with placeholder for encoding, since that is controlled by property
>
> Modified: jmeter/trunk/src/core/org/apache/jmeter/util/JMeterUtils.java
> URL: http://svn.apache.org/viewvc/jmeter/trunk/src/core/org/apache/jmeter/util/JMeterUtils.java?rev=1802731&r1=1802730&r2=1802731&view=diff
> ==============================================================================
> --- jmeter/trunk/src/core/org/apache/jmeter/util/JMeterUtils.java (original)
> +++ jmeter/trunk/src/core/org/apache/jmeter/util/JMeterUtils.java Sun Jul 23 14:24:36
2017
> @@ -69,6 +69,10 @@ import org.apache.oro.text.regex.Perl5Ma
>   import org.slf4j.Logger;
>   import org.slf4j.LoggerFactory;
>   
> +import com.thoughtworks.xstream.XStream;
> +import com.thoughtworks.xstream.security.AnyTypePermission;
> +import com.thoughtworks.xstream.security.NoTypePermission;
> +
>   /**
>    * This class contains the static utility methods used by JMeter.
>    *
> @@ -1250,4 +1254,17 @@ public class JMeterUtils implements Unit
>               }
>           }
>       }
> +
> +    /**
> +     * Setup default security policy
> +     * @param xstream {@link XStream}
> +     */
> +    public static void setupXStreamSecurityPolicy(XStream xstream) {
> +        // This will lift the insecure warning
> +        xstream.addPermission(NoTypePermission.NONE);
> +        // We reapply very permissive policy
> +        // See https://groups.google.com/forum/#!topic/xstream-user/wiKfdJPL8aY
> +        // TODO : How much are we concerned by CVE-2013-7285
Instead of adding another TODO, maybe we should address it right now. 
The demos to exploit the framework are easily found and are a threat for 
users downloading sample jmx files. Another vector of attack would be a 
someone modifying/producing bad content in the networked client setup.

I think we should go for a relatively strict setup with a regex 
white-list, that users can adapt.

Felix

> +        xstream.addPermission(AnyTypePermission.ANY);
> +    }
>   }
>
> Modified: jmeter/trunk/src/protocol/jms/org/apache/jmeter/protocol/jms/sampler/render/ObjectMessageRenderer.java
> URL: http://svn.apache.org/viewvc/jmeter/trunk/src/protocol/jms/org/apache/jmeter/protocol/jms/sampler/render/ObjectMessageRenderer.java?rev=1802731&r1=1802730&r2=1802731&view=diff
> ==============================================================================
> --- jmeter/trunk/src/protocol/jms/org/apache/jmeter/protocol/jms/sampler/render/ObjectMessageRenderer.java
(original)
> +++ jmeter/trunk/src/protocol/jms/org/apache/jmeter/protocol/jms/sampler/render/ObjectMessageRenderer.java
Sun Jul 23 14:24:36 2017
> @@ -29,6 +29,7 @@ import javax.xml.stream.XMLStreamExcepti
>   import javax.xml.stream.XMLStreamReader;
>   
>   import org.apache.jmeter.protocol.jms.sampler.PublisherSampler;
> +import org.apache.jmeter.util.JMeterUtils;
>   
>   import com.github.benmanes.caffeine.cache.Cache;
>   import com.thoughtworks.xstream.XStream;
> @@ -66,6 +67,7 @@ class ObjectMessageRenderer implements M
>         Serializable readObject = null;
>         try {
>             XStream xstream = new XStream();
> +          JMeterUtils.setupXStreamSecurityPolicy(xstream);
>             readObject = (Serializable) xstream.fromXML(xmlMessage, readObject);
>         } catch (Exception e) {
>             throw new IllegalStateException("Unable to load object instance from text",
e);
>
>


Mime
View raw message