From efcee72780bf26c36a792e9bb0254997c4372905 Mon Sep 17 00:00:00 2001
From: "Jamin W. Collins" <jamin.collins@gmail.com>
Date: Sat, 18 Aug 2018 10:23:21 -0600
Subject: [PATCH] configure XStream security for QuestPetStorage

Signed-off-by: Jamin W. Collins <jamin.collins@gmail.com>
---
 .../java/forge/quest/bazaar/QuestPetStorage.java   | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/forge-gui/src/main/java/forge/quest/bazaar/QuestPetStorage.java b/forge-gui/src/main/java/forge/quest/bazaar/QuestPetStorage.java
index 3e1a9d6bc07..00216780b9f 100644
--- a/forge-gui/src/main/java/forge/quest/bazaar/QuestPetStorage.java
+++ b/forge-gui/src/main/java/forge/quest/bazaar/QuestPetStorage.java
@@ -1,6 +1,9 @@
 package forge.quest.bazaar;
 
 import com.thoughtworks.xstream.XStream;
+import com.thoughtworks.xstream.security.NoTypePermission;
+import com.thoughtworks.xstream.security.NullPermission;
+import com.thoughtworks.xstream.security.PrimitiveTypePermission;
 import forge.quest.data.QuestAssets;
 import forge.util.IgnoringXStream;
 import forge.util.XmlUtil;
@@ -42,6 +45,17 @@ public class QuestPetStorage {
             final Document document = builder.parse(file);
 
             final XStream xs = new IgnoringXStream();
+            // clear out existing permissions and set our own
+            xs.addPermission(NoTypePermission.NONE);
+            // allow some basics
+            xs.addPermission(NullPermission.NULL);
+            xs.addPermission(PrimitiveTypePermission.PRIMITIVES);
+            xs.allowTypeHierarchy(String.class);
+            // allow any type from the same package
+            xs.allowTypesByWildcard(new String[] {
+                    QuestPetStorage.class.getPackage().getName()+".*"
+            });
+
             xs.autodetectAnnotations(true);
 
             final NodeList xmlPets = document.getElementsByTagName("pets").item(0).getChildNodes();