Package hudson.util

Class XStream2SecurityUtils

java.lang.Object
hudson.util.XStream2SecurityUtils

@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public class XStream2SecurityUtils extends Object
Strongly inspired by https://github.com/x-stream/xstream/blob/61a00fa225dc99488013869b57b772af8e2fea03/xstream/src/java/com/thoughtworks/xstream/core/SecurityUtils.java#L25 and taking into account https://github.com/x-stream/xstream/issues/282 Once the related issue is fixed, we will be able to use the regular method from XStream.
See Also:
  • SecurityUtils
  • Constructor Details

    • XStream2SecurityUtils

      public XStream2SecurityUtils()
  • Method Details

    • checkForCollectionDoSAttack

      public static void checkForCollectionDoSAttack(com.thoughtworks.xstream.converters.UnmarshallingContext context, long startNano)
      Check the consumed time adding elements to collections or maps. Every custom converter should call this method after an unmarshalled element has been added to a collection or map. In case of an attack the operation will take too long, because the calculation of the hash code or the comparison of the elements in the collection operate on recursive structures.
      Parameters:
      context - the unmarshalling context
      startNano - the nanoTime just before the element was added to the collection or map
      Since:
      1.4.19