Skip to content

Commit 3287437

Browse files
wikumChamithwikumChamith
committed
TRUNK-6218: Enable XStream whitelisting on OpenMRS Core 2.7.0 and after
1 parent 6db57c4 commit 3287437

File tree

1 file changed

+25
-0
lines changed

1 file changed

+25
-0
lines changed

api/src/main/java/org/openmrs/module/reporting/serializer/ReportingSerializer.java

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@
1616

1717
import org.openmrs.api.APIException;
1818
import org.openmrs.api.context.Context;
19+
import org.openmrs.module.VersionComparator;
1920
import org.openmrs.module.serialization.xstream.XStreamShortSerializer;
2021
import org.openmrs.module.serialization.xstream.mapper.CGLibMapper;
2122
import org.openmrs.module.serialization.xstream.mapper.HibernateCollectionMapper;
@@ -32,6 +33,7 @@
3233
import com.thoughtworks.xstream.io.xml.DomDriver;
3334
import com.thoughtworks.xstream.mapper.Mapper;
3435
import com.thoughtworks.xstream.mapper.MapperWrapper;
36+
import org.openmrs.util.OpenmrsConstants;
3537

3638

3739
public class ReportingSerializer extends XStreamShortSerializer {
@@ -85,6 +87,11 @@ public Object unmarshal(HierarchicalStreamReader reader, Object root) {
8587
xstream.registerConverter(new IndicatorConverter(mapper, converterLookup));
8688

8789
xstream.registerConverter(new ReportDefinitionConverter(mapper, converterLookup));
90+
91+
// Only setup XStreamSecurity only on versions that are after 2.7.0
92+
if (new VersionComparator().compare(OpenmrsConstants.OPENMRS_VERSION, "2.7.0") >= 0) {
93+
setupXStreamSecurity(xstream);
94+
}
8895
}
8996

9097
@Override
@@ -115,4 +122,22 @@ public void serializeToStream(Object object, OutputStream out) {
115122
throw new IllegalStateException("Unsupported encoding", e);
116123
}
117124
}
125+
126+
private void setupXStreamSecurity(XStream xstream) throws SerializationException {
127+
try {
128+
SimpleXStreamSerializer serializer = Context.getRegisteredComponent("simpleXStreamSerializer", SimpleXStreamSerializer.class);
129+
if (serializer != null) {
130+
try {
131+
Method method = serializer.getClass().getMethod("initXStream", XStream.class);
132+
method.invoke(serializer, xstream);
133+
}
134+
catch (Exception ex) {
135+
throw new SerializationException("Failed to set up XStream Security", ex);
136+
}
137+
}
138+
}
139+
catch (APIException ex) {
140+
//Ignore APIException("Error during getting registered component) for platform versions below 2.7.0
141+
}
142+
}
118143
}

0 commit comments

Comments
 (0)