TRUNK-6188: Add whitelisting for components loaded via XStream

dkayiwa · dkayiwa · commit c88eb0edf143 · 2024-11-22T15:47:12.000+03:00
diff --git a/api/src/main/java/org/openmrs/module/reporting/serializer/ReportingSerializer.java b/api/src/main/java/org/openmrs/module/reporting/serializer/ReportingSerializer.java
@@ -85,6 +85,42 @@ public Object unmarshal(HierarchicalStreamReader reader, Object root) {
 	    xstream.registerConverter(new IndicatorConverter(mapper, converterLookup));
 
 		xstream.registerConverter(new ReportDefinitionConverter(mapper, converterLookup));
+		
+		setupXStreamSecurity(xstream);
+	}
+	
+	private void setupXStreamSecurity(XStream xstream) throws SerializationException {
+		
+		if (!isPlatformTwoPointSevenOrAbove()) {
+			return;
+		}
+		
+		
+    	try {
+			SimpleXStreamSerializer serializer = Context.getRegisteredComponent("simpleXStreamSerializer", SimpleXStreamSerializer.class);
+			if (serializer != null) {
+				try {
+					Method method = serializer.getClass().getMethod("initXStream", XStream.class);
+					method.invoke(serializer, xstream);
+				}
+				catch (Exception ex) {
+					throw new SerializationException("Failed to set up XStream Security", ex);
+				}
+			}
+    	}
+    	catch (APIException ex) {
+    		//Ignore APIException("Error during getting registered component) for platform versions below 2.7.0
+    	}
+	}
+	
+	private boolean isPlatformTwoPointSevenOrAbove() {
+		try {
+			Class.forName("org.openmrs.ConceptReferenceRange");
+			return true;
+		}
+		catch (ClassNotFoundException exception) {
+			return false;
+		}
 	}
 	
 	@Override
