From fec122eefcae6e563f02635cc77ff704da301ddd Mon Sep 17 00:00:00 2001
From: Marian Koncek <mkoncek@redhat.com>
Date: Tue, 8 Jun 2021 15:53:43 +0200
Subject: [PATCH] Fix CVE-2021-29505

---
 .../src/java/com/thoughtworks/xstream/XStream.java    | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
index cdc4673..204d13b 100644
--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
@@ -548,12 +548,12 @@ public class XStream {
         annotationConfiguration = (AnnotationConfiguration)this.mapper
                 .lookupMapperOfType(AnnotationConfiguration.class);
     }
-    
+
     protected void setupSecurity() {
         if (securityMapper == null) {
             return;
         }
-        
+
         addPermission(AnyTypePermission.ANY);
         denyTypes(new String[]{
             "java.beans.EventHandler", //
@@ -566,7 +566,12 @@ public class XStream {
             "sun.swing.SwingLazyValue"});
         denyTypesByRegExp(new Pattern[]{
             LAZY_ITERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVAX_CRYPTO, JAXWS_ITERATORS,
-            JAVAFX_OBSERVABLE_LIST__, BCEL_CL});
+            JAVAFX_OBSERVABLE_LIST__, BCEL_CL,
+
+            // CVE-2021-29505
+            Pattern.compile(".*\\.Lazy(?:Search)?Enumeration.*"),
+            Pattern.compile("(?:java|sun)\\.rmi\\..*"),
+        });
         denyTypeHierarchy(InputStream.class);
         denyTypeHierarchyDynamically("java.nio.channels.Channel");
         denyTypeHierarchyDynamically("javax.activation.DataSource");
-- 
2.31.1