From 328743715ec4b1126a16fd235f602753eb4bc535 Mon Sep 17 00:00:00 2001
From: Wikum Weerakutti <wikum@linuxdeveloper.space>
Date: Wed, 20 Nov 2024 21:47:21 +0900
Subject: [PATCH] TRUNK-6218: Enable XStream whitelisting on OpenMRS Core 2.7.0
 and after

---
 .../serializer/ReportingSerializer.java       | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/api/src/main/java/org/openmrs/module/reporting/serializer/ReportingSerializer.java b/api/src/main/java/org/openmrs/module/reporting/serializer/ReportingSerializer.java
index 6b3f761de..77902707f 100644
--- a/api/src/main/java/org/openmrs/module/reporting/serializer/ReportingSerializer.java
+++ b/api/src/main/java/org/openmrs/module/reporting/serializer/ReportingSerializer.java
@@ -16,6 +16,7 @@
 
 import org.openmrs.api.APIException;
 import org.openmrs.api.context.Context;
+import org.openmrs.module.VersionComparator;
 import org.openmrs.module.serialization.xstream.XStreamShortSerializer;
 import org.openmrs.module.serialization.xstream.mapper.CGLibMapper;
 import org.openmrs.module.serialization.xstream.mapper.HibernateCollectionMapper;
@@ -32,6 +33,7 @@
 import com.thoughtworks.xstream.io.xml.DomDriver;
 import com.thoughtworks.xstream.mapper.Mapper;
 import com.thoughtworks.xstream.mapper.MapperWrapper;
+import org.openmrs.util.OpenmrsConstants;
 
 
 public class ReportingSerializer extends XStreamShortSerializer {
@@ -85,6 +87,11 @@ public Object unmarshal(HierarchicalStreamReader reader, Object root) {
 	    xstream.registerConverter(new IndicatorConverter(mapper, converterLookup));
 
 		xstream.registerConverter(new ReportDefinitionConverter(mapper, converterLookup));
+
+		// Only setup XStreamSecurity only on versions that are after 2.7.0
+		if (new VersionComparator().compare(OpenmrsConstants.OPENMRS_VERSION, "2.7.0") >= 0) {
+			setupXStreamSecurity(xstream);
+		}
 	}
 	
 	@Override
@@ -115,4 +122,22 @@ public void serializeToStream(Object object, OutputStream out) {
             throw new IllegalStateException("Unsupported encoding", e);
         }
     }
+
+	private void setupXStreamSecurity(XStream xstream) throws SerializationException {
+		try {
+			SimpleXStreamSerializer serializer = Context.getRegisteredComponent("simpleXStreamSerializer", SimpleXStreamSerializer.class);
+			if (serializer != null) {
+				try {
+					Method method = serializer.getClass().getMethod("initXStream", XStream.class);
+					method.invoke(serializer, xstream);
+				}
+				catch (Exception ex) {
+					throw new SerializationException("Failed to set up XStream Security", ex);
+				}
+			}
+		}
+		catch (APIException ex) {
+			//Ignore APIException("Error during getting registered component) for platform versions below 2.7.0
+		}
+	}
 }