Detect input manipulation in c.t.x.io.binary.BinaryStreamReader.

joehni · joehni · commit c8a939075f99 · 2024-09-18T20:19:13.000+02:00
diff --git a/xstream-distribution/src/content/changes.html b/xstream-distribution/src/content/changes.html
@@ -1,7 +1,7 @@
 <html>
 <!--
  Copyright (C) 2005, 2006 Joe Walnes.
- Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023 XStream committers.
+ Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023, 2024 XStream committers.
  All rights reserved.
  
  The software in this package is published under the terms of the BSD
@@ -116,6 +116,7 @@ <h2>Minor changes</h2>
 		<li>GHPR:#334: Fix remaining buffer size calculation in QuickWriter (by Higuchi Yuta).</li>
 		<li>GHI:#342: Optimize internal handling of children in DomReader avoiding O(n²) access times for siblings (by Shiang-Yun Yang).</li>
 		<li>GHI:#359: Add KEYS file with public keys to verify signed artifacts.</li>
+		<li>Detect input manipulation in c.t.x.io.binary.BinaryStreamReader.</li>
 	</ul>
 
 	<h2>API changes</h2>
diff --git a/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java b/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2006 Joe Walnes.
- * Copyright (C) 2006, 2007, 2011, 2013, 2014, 2015, 2018 XStream Committers.
+ * Copyright (C) 2006, 2007, 2011, 2013, 2014, 2015, 2018, 2024 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -22,6 +22,7 @@
 import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamReader;
 import com.thoughtworks.xstream.io.HierarchicalStreamReader;
 import com.thoughtworks.xstream.io.StreamException;
+import com.thoughtworks.xstream.security.InputManipulationException;
 
 
 /**
@@ -165,14 +166,19 @@ public int getLevel() {
     private Token readToken() {
         if (pushback == null) {
             try {
-                final Token token = tokenFormatter.read(in);
-                switch (token.getType()) {
-                case Token.TYPE_MAP_ID_TO_VALUE:
-                    idRegistry.put(token.getId(), token.getValue());
-                    return readToken(); // Next one please.
-                default:
-                    return token;
-                }
+                boolean mapping = false;
+                do {
+                    final Token token = tokenFormatter.read(in);
+                    switch (token.getType()) {
+                    case Token.TYPE_MAP_ID_TO_VALUE:
+                        idRegistry.put(token.getId(), token.getValue());
+                        mapping ^= true;
+                        continue; // Next one please.
+                    default:
+                        return token;
+                    }
+                } while (mapping);
+                throw new InputManipulationException("Binary stream will never have two mapping tokens in sequence");
             } catch (final IOException e) {
                 throw new StreamException(e);
             }
diff --git a/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java b/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2006 Joe Walnes.
- * Copyright (C) 2006, 2007, 2011, 2015, 2016, 2018, 2019, 2021 XStream Committers.
+ * Copyright (C) 2006, 2007, 2011, 2015, 2016, 2018, 2019, 2021, 2024 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -13,13 +13,15 @@
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
 import java.io.StringReader;
 
 import com.thoughtworks.xstream.io.HierarchicalStreamReader;
 import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
 import com.thoughtworks.xstream.io.copy.HierarchicalStreamCopier;
 import com.thoughtworks.xstream.io.xml.AbstractReaderTest;
 import com.thoughtworks.xstream.io.xml.MXParserDriver;
+import com.thoughtworks.xstream.security.InputManipulationException;
 
 
 public class BinaryStreamTest extends AbstractReaderTest {
@@ -79,4 +81,19 @@ public void testHandlesMoreThan256Ids() {
             }
         }
     }
+
+    @SuppressWarnings("resource")
+    public void testHandleMaliciousInputsOfIdMappingTokens() {
+        // Insert two successive id mapping tokens into the stream
+        final byte[] byteArray = new byte[8];
+        byteArray[0] = byteArray[4] = 10;
+        byteArray[1] = byteArray[5] = -127;
+
+        final InputStream in = new ByteArrayInputStream(byteArray);
+        try {
+            new BinaryStreamReader(in);
+            fail("Thrown " + InputManipulationException.class.getName() + " expected");
+        } catch (final InputManipulationException e) {
+        }
+    }
 }
