external-repos/forge
1
0
Fork 0
mirror of https://github.com/Card-Forge/forge.git synced 2025-11-20 12:48:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

configure XStream security for QuestPetStorage

Browse Source 
Signed-off-by: Jamin W. Collins <jamin.collins@gmail.com>
This commit is contained in:
Jamin W. Collins
2018-08-18 10:23:21 -06:00
parent 0e2f47dc8c
commit efcee72780
1 changed files with 14 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
forge-gui/src/main/java/forge/quest/bazaar/QuestPetStorage.java
View File

@@ -1,6 +1,9 @@
package forge.quest.bazaar; package forge.quest.bazaar;
import com.thoughtworks.xstream.XStream; import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.security.NoTypePermission;
import com.thoughtworks.xstream.security.NullPermission;
import com.thoughtworks.xstream.security.PrimitiveTypePermission;
import forge.quest.data.QuestAssets; import forge.quest.data.QuestAssets;
import forge.util.IgnoringXStream; import forge.util.IgnoringXStream;
import forge.util.XmlUtil; import forge.util.XmlUtil;
@@ -42,6 +45,17 @@ public class QuestPetStorage {
final Document document = builder.parse(file); final Document document = builder.parse(file);
final XStream xs = new IgnoringXStream(); final XStream xs = new IgnoringXStream();
// clear out existing permissions and set our own
xs.addPermission(NoTypePermission.NONE);
// allow some basics
xs.addPermission(NullPermission.NULL);
xs.addPermission(PrimitiveTypePermission.PRIMITIVES);
xs.allowTypeHierarchy(String.class);
// allow any type from the same package
xs.allowTypesByWildcard(new String[] {
QuestPetStorage.class.getPackage().getName()+".*"
});
xs.autodetectAnnotations(true); xs.autodetectAnnotations(true);
final NodeList xmlPets = document.getElementsByTagName("pets").item(0).getChildNodes(); final NodeList xmlPets = document.getElementsByTagName("pets").item(0).getChildNodes();