jajuk-team / jajuk

Advanded jukebox for users with large or scattered music collections
49 stars 19 forks source link

upgrade libxstream-java to version 1.4.18 because of earlier security vulnerabilities #2071

Open apoleon opened 3 years ago

apoleon commented 3 years ago

XStream switched from a security blacklist to a whitelist which is more secure in 1.4.18 to block malicious code from being de-serialized.

Quote from upstream:

"Main reason for the blacklist were compatibility, it allowed to use newer versions of XStream as drop-in replacement. However, this approach has failed. A growing list of security reports has proven, that a blacklist is inherently unsafe, apart from the fact that types of 3rd libraries were not even considered. XStream provides the ability to setup a whitelist since version 1.4.7, a version released nine years before 1.4.18. Clients who have adapted their setup and initialize the security framework are able to use newer versions again as drop-in replacement. A blacklist scenario should be avoided in general, because it provides a false sense of security."

jajuk does not use a whitelist so far but this has been the recommended way for years now. You just need to update XMLUtils.java to allow Jajuk classes.

It looks to me you just need to update the readObjectFromFile method, e.g you could allow all classes from the same package like that:

xStream.allowTypesByWildcard(new String[] {XMLUtils.class.getPackage().getName()+".*" });

After that everything should work as before.

See also https://x-stream.github.io/security.html#framework