XStream switched from a security blacklist to a whitelist which is more secure in 1.4.18 to block malicious code from being de-serialized.
Quote from upstream:
"Main reason for the blacklist were compatibility, it allowed to use newer versions of XStream as drop-in replacement. However, this approach has failed. A growing list of security reports has proven, that a blacklist is inherently unsafe, apart from the fact that types of 3rd libraries were not even considered. XStream provides the ability to setup a whitelist since version 1.4.7, a version released nine years before 1.4.18. Clients who have adapted their setup and initialize the security framework are able to use newer versions again as drop-in replacement. A blacklist scenario should be avoided in general, because it provides a false sense of security."
jajuk does not use a whitelist so far but this has been the recommended way for years now. You just need to update XMLUtils.java to allow Jajuk classes.
It looks to me you just need to update the readObjectFromFile method, e.g you could allow all classes from the same package like that:
XStream switched from a security blacklist to a whitelist which is more secure in 1.4.18 to block malicious code from being de-serialized.
Quote from upstream:
"Main reason for the blacklist were compatibility, it allowed to use newer versions of XStream as drop-in replacement. However, this approach has failed. A growing list of security reports has proven, that a blacklist is inherently unsafe, apart from the fact that types of 3rd libraries were not even considered. XStream provides the ability to setup a whitelist since version 1.4.7, a version released nine years before 1.4.18. Clients who have adapted their setup and initialize the security framework are able to use newer versions again as drop-in replacement. A blacklist scenario should be avoided in general, because it provides a false sense of security."
jajuk does not use a whitelist so far but this has been the recommended way for years now. You just need to update XMLUtils.java to allow Jajuk classes.
It looks to me you just need to update the readObjectFromFile method, e.g you could allow all classes from the same package like that:
xStream.allowTypesByWildcard(new String[] {XMLUtils.class.getPackage().getName()+".*" });
After that everything should work as before.
See also https://x-stream.github.io/security.html#framework