Security framework of XStream not initialized, XStream is probably vulnerable
I keep getting this console error in red while using XStream (1.4.10)
I tried the following:
XStream.setupDefaultSecurity(xs);
and
xs.addPermission(AnyTypePermission.ANY);
xs.addPermission(NoTypePermission.NONE);
none of which got rid of it.
I do not need any fancy security settings, I just want to silence that warning. Maybe also prepare the code for 1.5.x
When dealing with security issues, I wouldn't take it lightly. Firstly one would understand the severity of the issue, here a good write up or another one.
Then find out how people recommend the solution. The good place to start is from xstream website itself. There is an example which you can use as a starting point on xstream security page.
This would be my set up which basically allows most of your code.
XStream xstream = new XStream();
// clear out existing permissions and set own ones
xstream.addPermission(NoTypePermission.NONE);
// allow some basics
xstream.addPermission(NullPermission.NULL);
xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
xstream.allowTypeHierarchy(Collection.class);
// allow any type from the same package
xstream.allowTypesByWildcard(new String[] {
"com.your.package.**"
});
However, after diving more into their source code, this is my take:
XStream.setupDefaultSecurity(this); // to be removed after 1.5
xstream.allowTypesByWildcard(new String[] {
"com.your.package.**"
});
So essentially, you will need just one line once upgrading to 1.5.
Please note that you may need more wild cards to suit your application deserialization scenarios. This is not a one-size-fit-all answer but rather a good starting point IMHO.
I had the same "problem" and solved it by allowing the relevant types:
Class<?>[] classes = new Class[] { ABC.class, XYZ.class };
XStream xStream = new XStream();
XStream.setupDefaultSecurity(xStream);
xStream.allowTypes(classes);
Maybe this also helps in your case.
Good luck!
It also works by specifying an all-inclusive pattern for allowed classes:
xstream.allowTypesByRegExp(new String[] { ".*" });
To anyone who comes across this, it's likely due to CVE-2021-21351
XStream has a RCE vulnerability in earlier versions. You should upgrade to 1.46.1 or higher immediately.
Related
I have a large edmx schema file that would be very inconvenient to manually re-create, one EntityType at a time, in Java using OLingo. While I'm not opposed to writing a loader of some kind, I wanted to make sure that OLingo 4 doesn't already provide this functionality.
I found an article that shows how OLingo 2 can load this kind of information:
#Override
public Edm readMetadata(final InputStream inputStream, final boolean validate)
throws EntityProviderException {
EdmProvider provider = new EdmxProvider().parse(inputStream, validate);
return new EdmImplProv(provider);
}
But I need to use version 4. I haven't found the same interfaces in the documentation for version 4, so I'm at a bit of a loss. Any pointers much appreciated.
After more investigation, I found that I needed the odata-server-core-ext package and I could import org.apache.olingo.server.core.MetadataParser. Among other things, this class has a function called buildEdmProvider(Reader) which does the work of building a SchemaBasedEdmProvider for you.
If you're not bound to OLingo, you could also try odata-client: https://github.com/davidmoten/odata-client
I've not had a good chance to use it myself as unfortunately the web service I'm trying to connect to is OData 2, and odata-client only supports 4. However, it looked to have some neat features (including type safety and automatic/transparent paging).
How do I add global variables to an embedded Gremlin server instance?
Also, I want to avoid loading the server configuration from a file, although I can load resources from the classpath.
getGlobalBindings() on GremlinExecutor is indeed deprecated, but the javadoc explains how you should proceed:
replaced by getScriptEngineManager() to add global scoped bindings
directly to that object.
That comes from the 3.2.5 javadoc when it was originally deprecated in preparation for pretty large changes in 3.3.0 when new interfaces were implement to better generalize the GremlinScriptEngine. While these new interfaces were defined for default use in 3.3.0, they are actually present in 3.2.x and may be used there. Note that the getGlobalBindings() method was actually removed completely in 3.3.0 so when you upgrade you will end up with compilation errors.
Where there may be some confusion with respect to that javadoc comment is that to use the getScriptEngineManager() you must also use what is the default 3.3.0 yaml configuration on the 3.2.x line of code...an example is shown here:
https://github.com/apache/tinkerpop/blob/3.3.0/gremlin-server/conf/gremlin-server-classic.yaml#L25
Note that under this new model, you have two other options for adding global bindings...you could also either:
Use the BindingsGremlinPlugin to add global bindings programmatically
Write your own GremlinPlugin instance to add your bindings
Looks like we can do it this way, although getGlobalBindings() is deprecated.
Graph graph = this.createGraph();
GraphTraversalSource g = graph.traversal();
this.server = new GremlinServer(getSettings());
this.server.getServerGremlinExecutor().getGraphManager().putGraph("graph", graph);
this.server.getServerGremlinExecutor().getGremlinExecutor().getGlobalBindings().put("graph", graph);
this.server.getServerGremlinExecutor().getGremlinExecutor().getGlobalBindings().put("g", g);
this.server.start();
How do you check for Annotations when using IClassFile in Eclipse?
This doesnt seem to work classFile.getClass().isAnnotationPresent? Any help is appreciated.
The problem with using
for (final IClassFile classFile : classFiles) {
IAnnotation[] annotations = classFile.getType().getAnnotations();
Is that I have to get All the Packages, then get the Class Files in that package then get the Annotations. It will require 3 loops. Is there a way to minimize this?
I would say that the easiest way for you to find annotations is through a triple loop, but it might be slightly faster (assuming you are looking for a specific annotation) to use a 'SearchEngineinstead. Take a look at the source code for theorg.eclipse.jdt.internal.junit.launcher.JUnit4TestFinder` class. It looks for (source) classes annotated with #Test or #RunWith, which is similar to what you want to do, but for binary classes.
You would do something like this:
IJavaElement[] allPackagesToSearch = ...
SearchRequestor requestor = <implement the SearchRequestor abstract class and store all matches>
IJavaSearchScope scope= SearchEngine.createJavaSearchScope(binaryPackages, IJavaSearchScope.APPLICATION_LIBRARIES);
int matchRule= SearchPattern.R_EXACT_MATCH | SearchPattern.R_CASE_SENSITIVE;
SearchPattern runWithPattern= SearchPattern.createPattern("com.foo.MyAnnotation", IJavaSearchConstants.ANNOTATION_TYPE, IJavaSearchConstants.ANNOTATION_TYPE_REFERENCE, matchRule);
SearchParticipant[] searchParticipants= new SearchParticipant[] { SearchEngine.getDefaultSearchParticipant() };
new SearchEngine().search(annotationsPattern, searchParticipants, scope, requestor, new SubProgressMonitor(pm, 2));
It's a bit of a mouthful, and to figure out how this works, I'd recommend reading the JavaDoc for SearchEngine, SearchPattern, and SearchRequestor.
If you want to find all annotations, then change the match rule, and instead of "com.foo.MyAnnotation", use "*".
I'm currently writing a web application in java using GWT 2.0 in eclipse.
I wanted to know if there is a way to use Gson library in a GWT application's client code.
and if there is a way - please tell me how...
Thanks!
Gson uses Java features that are not supported in GWT such as reflection. Thus it is not possible to use Gson in GWT client side code.
Not exactly what you wrote but I guess that what you meant was how to serialize/deserialize JSON in GWT code?
In GWT 2.1.1 you can use GWT AutoBean framework
See there at the bottom of the article it has this magic code ...
String serializeToJson(Person person)
{
// Retrieve the AutoBean controller
AutoBean<Person> bean = AutoBeanUtils.getAutoBean(person);
return AutoBeanCodex.encode(bean).getPayload();
}
Person deserializeFromJson(String json)
{
AutoBean<Person> bean = AutoBeanCodex.decode(myFactory, Person.class, json);
return bean.as();
}
the serializeToJson() woks fine for me even with instances that are inherit Person but I did not try the deserializeFromJson...
(feel free to enhance my post if you like)
currently (2015-02-07) it is not possible although I like Gson very much and would like to have only one solution for shared code :-/ , but there are some other libraries available (I only know AutoBeans and Gson myself and had a quick look at Piriti):
(some support both or only one of XML and JSON (de)serialization)
client- and server-side
AutoBeans (*): http://code.google.com/p/google-web-toolkit/wiki/AutoBean
I had problems with generics there (2015-02-07) similar to this: RequestFactory: Proxy implementing interface with generics
client-side-only
Piriti
RestyGWT: http://restygwt.fusesource.org/documentation/restygwt-user-guide.html#JSON_Encoder_Decoders
RocketGWT: http://code.google.com/p/rocket-gwt/wiki/JsonSerialization
Acris: http://code.google.com/p/acris/wiki/GWTJsonizer
JavaScript overlay types (*)
server-side only
Gson (from Google)
(*) from GWT project itself
Comparisons:
e.g. https://github.com/hpehl/piriti/wiki/Comparison
In our GWT project we use piriti:
http://code.google.com/p/piriti/
Works like a charm :-)
I have write a library that allows using GWT with Gson, you can download here and enjoy it.
Stripes allows you to validate your form input values using the #Validate annotation on your member variables. Does anyone have any experience testing these annotations directly. I could do this by testing the validation errors that come back from the ActionBean, but this seems a little long winded and I would like a more direct method of testing if an input value is valid.
I'm not that familiar with the innards of the Framework yet, and I was hoping someone could give me some direction on where to start. TIA.
One method I've used is Stripes' built in MockRoundtrip. It is useful for simulating a complete test of an action bean event outside the container.
Example from the documentation:
MockServletContext context = ...;
MockRoundtrip trip = new MockRoundtrip(context, CalculatorActionBean.class);
trip.setParameter("numberOne", "2");
trip.setParameter("numberTwo", "2");
trip.execute();
CalculatorActionBean bean = trip.getActionBean(CalculatorActionBean.class);
Assert.assertEquals(bean.getResult(), 4, "two plus two should equal four");
Assert.assertEquals(trip.getDestination(), ""/quickstart/index.jsp");
Additionally, you could use trip.getValidationErrors() and assert that your error is in there.