Configure XStream security and resolve itest bundles (#8663)

* Configures XStream security to prevent "Security framework of XStream not initialized, XStream is probably vulnerable" warnings. * Resolves the itest bundles for the upgrade to XStream 1.4.13 Related to openhab/openhab-core#1688 Signed-off-by: Wouter Born <github@maindrain.net>
2020-10-04 22:10:04 +02:00
parent 3ea3570306
commit be7e9c9680
12 changed files with 31 additions and 21 deletions
--- a/bundles/org.openhab.binding.homematic/src/main/java/org/openhab/binding/homematic/internal/communicator/CcuGateway.java
+++ b/bundles/org.openhab.binding.homematic/src/main/java/org/openhab/binding/homematic/internal/communicator/CcuGateway.java
@@ -64,6 +64,8 @@ public class CcuGateway extends AbstractHomematicGateway {
            HttpClient httpClient) {
        super(id, config, gatewayAdapter, httpClient);

+        XStream.setupDefaultSecurity(xStream);
+        xStream.allowTypesByWildcard(new String[] { HmDevice.class.getPackageName() + ".**" });
        xStream.setClassLoader(CcuGateway.class.getClassLoader());
        xStream.autodetectAnnotations(true);
        xStream.alias("scripts", TclScriptList.class);
--- a/bundles/org.openhab.binding.lcn/src/main/java/org/openhab/binding/lcn/internal/pchkdiscovery/LcnPchkDiscoveryService.java
+++ b/bundles/org.openhab.binding.lcn/src/main/java/org/openhab/binding/lcn/internal/pchkdiscovery/LcnPchkDiscoveryService.java
@@ -148,6 +148,8 @@ public class LcnPchkDiscoveryService extends AbstractDiscoveryService {

    ServicesResponse xmlToServiceResponse(String response) {
        XStream xstream = new XStream(new StaxDriver());
+        XStream.setupDefaultSecurity(xstream);
+        xstream.allowTypesByWildcard(new String[] { ServicesResponse.class.getPackageName() + ".**" });
        xstream.setClassLoader(getClass().getClassLoader());
        xstream.autodetectAnnotations(true);
        xstream.alias("ServicesResponse", ServicesResponse.class);
--- a/bundles/org.openhab.binding.lutron/src/main/java/org/openhab/binding/lutron/internal/xml/DbXmlInfoReader.java
+++ b/bundles/org.openhab.binding.lutron/src/main/java/org/openhab/binding/lutron/internal/xml/DbXmlInfoReader.java
@@ -49,15 +49,21 @@ public class DbXmlInfoReader {

        xstream = new XStream(driver);

+        configureSecurity(xstream);
        setClassLoader(Project.class.getClassLoader());
-        registerAliases(this.xstream);
+        registerAliases(xstream);
    }

-    public void setClassLoader(ClassLoader classLoader) {
+    private void configureSecurity(XStream xstream) {
+        XStream.setupDefaultSecurity(xstream);
+        xstream.allowTypesByWildcard(new String[] { Project.class.getPackageName() + ".**" });
+    }
+
+    private void setClassLoader(ClassLoader classLoader) {
        xstream.setClassLoader(classLoader);
    }

-    public void registerAliases(XStream xstream) {
+    private void registerAliases(XStream xstream) {
        xstream.alias("Project", Project.class);
        xstream.aliasField("AppVer", Project.class, "appVersion");
        xstream.aliasField("XMLVer", Project.class, "xmlVersion");