Hardened XStream with a converter to prevent exploitation

components/nexus-client-core/pom.xml

@@ -130,6 +130,10 @@
       <artifactId>nexus-test-common</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>io.github.pixee</groupId>
+      <artifactId>java-security-toolkit-xstream</artifactId>
+    </dependency>
   </dependencies>
 
 </project>

components/nexus-client-core/src/main/java/org/sonatype/nexus/client/internal/rest/NexusXStreamFactory.java

@@ -12,6 +12,7 @@
  */
 package org.sonatype.nexus.client.internal.rest;
 
+import io.github.pixee.security.xstream.HardeningConverter;
 import org.sonatype.nexus.client.internal.msg.ErrorMessage;
 import org.sonatype.nexus.client.internal.msg.ErrorResponse;
 import org.sonatype.nexus.rest.model.XStreamConfiguratorLightweight;
@@ -34,6 +35,7 @@ public class NexusXStreamFactory
     public XStream createForXml()
     {
         final XStream xstream = new XStream( new LookAheadXppDriver() );
+        xstream.registerConverter(new HardeningConverter());
         xstream.setMode( XStream.NO_REFERENCES );
         xstream.autodetectAnnotations( false );
         return xstream;

components/nexus-core/pom.xml

@@ -335,6 +335,10 @@
       <artifactId>sisu-pr-testutil</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>io.github.pixee</groupId>
+      <artifactId>java-security-toolkit-xstream</artifactId>
+    </dependency>
   </dependencies>
 
   <build>

components/nexus-core/src/main/java/org/sonatype/nexus/configuration/application/upgrade/Upgrade103to104.java

@@ -12,6 +12,7 @@
  */
 package org.sonatype.nexus.configuration.application.upgrade;
 
+import io.github.pixee.security.xstream.HardeningConverter;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileReader;
@@ -113,7 +114,8 @@ public Object loadConfiguration( File file )
         {
             // a snippet from old TaskConnfigManager
             XStream xstream = new XStream( new DomDriver() );
-
+            xstream.registerConverter(new HardeningConverter());
+
             // alias the versioned class (they are frozen to 1.0.3 only!)
             xstream.alias( "org.sonatype.nexus.configuration.model.CTaskConfiguration", CTaskConfiguration.class );
             xstream.alias(

components/pom.xml

@@ -63,7 +63,12 @@
         <version>2.6.0-SNAPSHOT</version>
         <scope>import</scope>
       </dependency>
-
+      <dependency>
+        <groupId>io.github.pixee</groupId>
+        <artifactId>java-security-toolkit-xstream</artifactId>
+
+        <version>${versions.java-security-toolkit-xstream}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 
@@ -75,5 +80,7 @@
       </plugin>
     </plugins>
   </build>
-
+  <properties>
+    <versions.java-security-toolkit-xstream>1.0.2</versions.java-security-toolkit-xstream>
+  </properties>
 </project>

plugins/basic/nexus-plugin-console-plugin/src/main/java/org/sonatype/nexus/plugins/plugin/console/error/reporting/PluginListErrorReportBundleContentContributor.java

@@ -12,6 +12,7 @@
  */
 package org.sonatype.nexus.plugins.plugin.console.error.reporting;
 
+import io.github.pixee.security.xstream.HardeningConverter;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.util.List;
@@ -41,6 +42,7 @@ public ErrorReportBundleEntry[] getEntries()
         ByteArrayOutputStream bos = new ByteArrayOutputStream();
 
         XStream xs = new XStream();
+        xs.registerConverter(new HardeningConverter());
         xs.alias( "PluginInfo", PluginInfo.class );
         xs.toXML( l, bos );
 

plugins/restlet1x/nexus-restlet-bridge/pom.xml

@@ -88,6 +88,10 @@
       <artifactId>com.noelios.restlet.ext.jetty</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>io.github.pixee</groupId>
+      <artifactId>java-security-toolkit-xstream</artifactId>
+    </dependency>
   </dependencies>
 
   <build>

plugins/restlet1x/nexus-restlet-bridge/src/main/java/org/sonatype/plexus/rest/PlexusRestletApplicationBridge.java

@@ -12,6 +12,7 @@
  */
 package org.sonatype.plexus.rest;
 
+import io.github.pixee.security.xstream.HardeningConverter;
 import java.util.ArrayList;
 import java.util.Date;
 import java.util.HashMap;
@@ -300,6 +301,7 @@ protected final void recreateRoot( boolean isStarted )
     protected final XStream createAndConfigureXstream( HierarchicalStreamDriver driver )
     {
         XStream xstream = new XStream( driver );
+        xstream.registerConverter(new HardeningConverter());
 
         xstream.setClassLoader( uberClassLoader );
 

plugins/restlet1x/nexus-restlet1x-plugin/src/test/java/org/sonatype/nexus/rest/global/GlobalConfigurationPlexusResourceTest.java

@@ -12,6 +12,7 @@
  */
 package org.sonatype.nexus.rest.global;
 
+import io.github.pixee.security.xstream.HardeningConverter;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.is;
 
@@ -39,6 +40,7 @@ public void unescapeHTMLInSMTPPassword()
 
         // make sure the configuration resource configures xstream to unescape
         final XStream xStream = new XStream();
+        xStream.registerConverter(new HardeningConverter());
         testSubject.configureXStream( xStream );
 
         final String xml = xStream.toXML( settings );

plugins/restlet1x/nexus-restlet1x-plugin/src/test/java/org/sonatype/nexus/rest/global/SmtpSettingsValidationPlexusResourceTest.java

@@ -12,6 +12,7 @@
  */
 package org.sonatype.nexus.rest.global;
 
+import io.github.pixee.security.xstream.HardeningConverter;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.is;
 import static org.sonatype.nexus.rest.global.SmtpSettingsValidationPlexusResource.validateEmail;
@@ -75,6 +76,7 @@ public void unescapeHTMLInSMTPPassword()
 
         // make sure the configuration resource configures xstream to unescape
         final XStream xStream = new XStream();
+        xStream.registerConverter(new HardeningConverter());
         testSubject.configureXStream( xStream );
 
         final String xml = xStream.toXML( settings );

plugins/restlet1x/pom.xml

@@ -29,6 +29,7 @@
 
   <properties>
     <restlet.version>1.1.6-SONATYPE-5348-V8</restlet.version>
+    <versions.java-security-toolkit-xstream>1.0.2</versions.java-security-toolkit-xstream>
   </properties>
 
   <modules>
@@ -164,7 +165,11 @@
           </exclusion>
         </exclusions>
       </dependency>
-
+      <dependency>
+        <groupId>io.github.pixee</groupId>
+        <artifactId>java-security-toolkit-xstream</artifactId>
+        <version>${versions.java-security-toolkit-xstream}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 

testsuite/legacy-testsuite/pom.xml

@@ -170,6 +170,10 @@
       <version>${cargo.version}</version>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>io.github.pixee</groupId>
+      <artifactId>java-security-toolkit-xstream</artifactId>
+    </dependency>
   </dependencies>
 
   <profiles>

testsuite/legacy-testsuite/src/test/java/org/sonatype/nexus/testsuite/task/nexus2692/AbstractEvictTaskIt.java

@@ -12,6 +12,7 @@
  */
 package org.sonatype.nexus.testsuite.task.nexus2692;
 
+import io.github.pixee.security.xstream.HardeningConverter;
 import java.io.BufferedReader;
 import java.io.File;
 import java.io.FileInputStream;
@@ -95,6 +96,7 @@ public void setupStorageAndAttributes()
         FileOutputStream fos = null;
 
         XStream xstream = new XStream();
+        xstream.registerConverter(new HardeningConverter());
         xstream.alias( "file", DefaultStorageFileItem.class );
         xstream.alias( "collection", DefaultStorageCollectionItem.class );
         xstream.alias( "link", DefaultStorageLinkItem.class );

testsuite/pom.xml

@@ -34,6 +34,7 @@
     -->
     <testsuite.basedir>${project.basedir}</testsuite.basedir>
     <autoshard.outputDir>${settings.localRepository}/autoshard/${project.groupId}/${project.artifactId}</autoshard.outputDir>
+    <versions.java-security-toolkit-xstream>1.0.2</versions.java-security-toolkit-xstream>
   </properties>
 
   <modules>
@@ -64,7 +65,11 @@
         <version>2.6.0-SNAPSHOT</version>
         <scope>import</scope>
       </dependency>
-
+      <dependency>
+        <groupId>io.github.pixee</groupId>
+        <artifactId>java-security-toolkit-xstream</artifactId>
+        <version>${versions.java-security-toolkit-xstream}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 

testsupport/nexus-test-harness-launcher/pom.xml

@@ -176,6 +176,10 @@
       <artifactId>nexus-indexer-lucene-plugin</artifactId>
       <version>${nexus.version}</version>
     </dependency>
+    <dependency>
+      <groupId>io.github.pixee</groupId>
+      <artifactId>java-security-toolkit-xstream</artifactId>
+    </dependency>
   </dependencies>
 
 </project>

testsupport/nexus-test-harness-launcher/src/main/java/org/sonatype/nexus/test/utils/SecurityConfigUtil.java

@@ -12,6 +12,7 @@
  */
 package org.sonatype.nexus.test.utils;
 
+import io.github.pixee.security.xstream.HardeningConverter;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
@@ -91,6 +92,7 @@ public void assertRoleEquals( CRole roleA, CRole roleB )
         Collections.sort( roleB.getPrivileges() );
 
         XStream xStream = new XStream();
+        xStream.registerConverter(new HardeningConverter());
         String roleStringA = xStream.toXML( roleA );
         String roleStringB = xStream.toXML( roleB );
 

testsupport/nexus-test-harness-launcher/src/main/java/org/sonatype/nexus/test/utils/XStreamFactory.java

@@ -12,6 +12,7 @@
  */
 package org.sonatype.nexus.test.utils;
 
+import io.github.pixee.security.xstream.HardeningConverter;
 import org.sonatype.nexus.rest.MIndexerXStreamConfigurator;
 import org.sonatype.nexus.rest.model.XStreamConfigurator;
 import org.sonatype.plexus.rest.xstream.json.JsonOrgHierarchicalStreamDriver;
@@ -32,6 +33,7 @@ public class XStreamFactory
     public static XStream getXmlXStream()
     {
         XStream xmlXStream = new XStream( new LookAheadXppDriver() );
+        xmlXStream.registerConverter(new HardeningConverter());
         initXStream( xmlXStream );
 
         return xmlXStream;

testsupport/pom.xml

@@ -49,7 +49,11 @@
         <version>2.6.0-SNAPSHOT</version>
         <scope>import</scope>
       </dependency>
-
+      <dependency>
+        <groupId>io.github.pixee</groupId>
+        <artifactId>java-security-toolkit-xstream</artifactId>
+        <version>${versions.java-security-toolkit-xstream}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 
@@ -61,5 +65,7 @@
       </plugin>
     </plugins>
   </build>
-
+  <properties>
+    <versions.java-security-toolkit-xstream>1.0.2</versions.java-security-toolkit-xstream>
+  </properties>
 </project>