From cc044978fb430353dee41fc926936a144d23a96d Mon Sep 17 00:00:00 2001 From: "Jamin W. Collins" Date: Sat, 18 Aug 2018 09:58:24 -0600 Subject: [PATCH] configure XStream security for GauntletIO Catching the ConversionException prevents Gauntlet saves from being deleted in the event of improper or incomplete security settings on XStream. The null check in CSubmenuGauntletContests avoids an exception should there be no Gauntlet saves. Signed-off-by: Jamin W. Collins --- .../gauntlet/CSubmenuGauntletContests.java | 10 +++--- .../main/java/forge/gauntlet/GauntletIO.java | 34 +++++++++++++++++++ 2 files changed, 40 insertions(+), 4 deletions(-) diff --git a/forge-gui-desktop/src/main/java/forge/screens/home/gauntlet/CSubmenuGauntletContests.java b/forge-gui-desktop/src/main/java/forge/screens/home/gauntlet/CSubmenuGauntletContests.java index da752354622..a0bba9a7f20 100644 --- a/forge-gui-desktop/src/main/java/forge/screens/home/gauntlet/CSubmenuGauntletContests.java +++ b/forge-gui-desktop/src/main/java/forge/screens/home/gauntlet/CSubmenuGauntletContests.java @@ -67,10 +67,12 @@ public enum CSubmenuGauntletContests implements ICDoc { private void updateData() { final File[] files = GauntletIO.getGauntletFilesLocked(); final List data = new ArrayList(); - for (final File f : files) { - final GauntletData gd = GauntletIO.loadGauntlet(f); - if (gd != null) { - data.add(gd); + if (files != null) { + for (final File f : files) { + final GauntletData gd = GauntletIO.loadGauntlet(f); + if (gd != null) { + data.add(gd); + } } } diff --git a/forge-gui/src/main/java/forge/gauntlet/GauntletIO.java b/forge-gui/src/main/java/forge/gauntlet/GauntletIO.java index df6269dfe26..065146f68e0 100644 --- a/forge-gui/src/main/java/forge/gauntlet/GauntletIO.java +++ b/forge-gui/src/main/java/forge/gauntlet/GauntletIO.java @@ -7,10 +7,22 @@ import java.io.FileOutputStream; import java.io.FilenameFilter; import java.io.IOException; import java.io.InputStreamReader; +import java.util.ArrayList; +import java.util.EnumMap; +import java.util.List; import java.util.Map.Entry; +import java.util.SortedSet; +import java.util.TreeMap; import java.util.zip.GZIPInputStream; import java.util.zip.GZIPOutputStream; +import com.thoughtworks.xstream.converters.ConversionException; +import com.thoughtworks.xstream.security.NoTypePermission; +import com.thoughtworks.xstream.security.NullPermission; +import com.thoughtworks.xstream.security.PrimitiveTypePermission; +import forge.deck.Deck; +import forge.deck.DeckSection; +import forge.error.BugReporter; import org.apache.commons.lang3.StringUtils; import com.thoughtworks.xstream.XStream; @@ -40,6 +52,25 @@ public class GauntletIO { protected static XStream getSerializer(final boolean isIgnoring) { final XStream xStream = isIgnoring ? new IgnoringXStream() : new XStream(); + // clear out existing permissions and set our own + xStream.addPermission(NoTypePermission.NONE); + // allow some basics + xStream.addPermission(NullPermission.NULL); + xStream.addPermission(PrimitiveTypePermission.PRIMITIVES); + xStream.allowTypeHierarchy(String.class); + xStream.allowTypeHierarchy(EnumMap.class); + xStream.allowTypeHierarchy(ArrayList.class); + xStream.allowTypeHierarchy(CardPool.class); + xStream.allowTypeHierarchy(SortedSet.class); + xStream.allowTypeHierarchy(Deck.class); + xStream.allowTypeHierarchy(TreeMap.class); + xStream.allowTypeHierarchy(List.class); + xStream.allowTypeHierarchy(DeckSection.class); + // allow any type from the same package + xStream.allowTypesByWildcard(new String[] { + GauntletIO.class.getPackage().getName()+".*", + String.class.getPackage().getName()+".*" + }); xStream.registerConverter(new DeckSectionToXml()); xStream.autodetectAnnotations(true); return xStream; @@ -93,6 +124,9 @@ public class GauntletIO { catch (final IOException e) { e.printStackTrace(); } + catch (final ConversionException e) { + BugReporter.reportException(e); + } catch (final Exception e) { //if there's a non-IO exception, delete the corrupt file e.printStackTrace(); isCorrupt = true;