Package hudson.util

Class XStream2SecurityUtils

java.lang.Object

hudson.util.XStream2SecurityUtils

@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
public class XStream2SecurityUtils
extends Object

Strongly inspired by https://github.com/x-stream/xstream/blob/61a00fa225dc99488013869b57b772af8e2fea03/xstream/src/java/com/thoughtworks/xstream/core/SecurityUtils.java#L25 and taking into account https://github.com/x-stream/xstream/issues/282 Once the related issue is fixed, we will be able to use the regular method from XStream.

See Also:

• SecurityUtils

Constructor Summary

Constructors

Constructor	Description
XStream2SecurityUtils()

Method Summary

Modifier and Type	Method	Description
static void	checkForCollectionDoSAttack(com.thoughtworks.xstream.converters.UnmarshallingContext context, long startNano)	Check the consumed time adding elements to collections or maps.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

XStream2SecurityUtils

public XStream2SecurityUtils()

Method Details

checkForCollectionDoSAttack

public static void checkForCollectionDoSAttack(com.thoughtworks.xstream.converters.UnmarshallingContext context,
 long startNano)

Check the consumed time adding elements to collections or maps. Every custom converter should call this method after an unmarshalled element has been added to a collection or map. In case of an attack the operation will take too long, because the calculation of the hash code or the comparison of the elements in the collection operate on recursive structures.

Parameters:

context - the unmarshalling context

startNano - the nanoTime just before the element was added to the collection or map

Since:

1.4.19