From 19ba02bfc62bb3d81480d48ec35a677679326639 Mon Sep 17 00:00:00 2001
From: Marian Koncek <mkoncek@redhat.com>
Date: Tue, 31 Aug 2021 09:01:09 +0200
Subject: [PATCH] Fix CVEs-2021-391XX

---
 .../src/java/com/thoughtworks/xstream/XStream.java    | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
index 204d13b..6fc5e56 100644
--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
@@ -564,6 +564,10 @@ public class XStream {
             "com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator", //
             "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", //
             "sun.swing.SwingLazyValue"});
+
+        // CVE-2021-391**
+        denyTypesByWildcard(new String[]{ "sun.reflect.**", "sun.tracing.**", "com.sun.corba.**" });
+
         denyTypesByRegExp(new Pattern[]{
             LAZY_ITERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVAX_CRYPTO, JAXWS_ITERATORS,
             JAVAFX_OBSERVABLE_LIST__, BCEL_CL,
@@ -571,6 +575,13 @@ public class XStream {
             // CVE-2021-29505
             Pattern.compile(".*\\.Lazy(?:Search)?Enumeration.*"),
             Pattern.compile("(?:java|sun)\\.rmi\\..*"),
+
+            // CVE-2021-391**
+            Pattern.compile(".*\\.ws\\.client\\.sei\\..*"),
+            Pattern.compile(".*\\$ProxyLazyValue"),
+            Pattern.compile("com\\.sun\\.jndi\\..*Enumerat(?:ion|or)"),
+            Pattern.compile(".*\\$URLData"),
+            Pattern.compile(".*\\.xsltc\\.trax\\.TemplatesImpl"),
         });
         denyTypeHierarchy(InputStream.class);
         denyTypeHierarchyDynamically("java.nio.channels.Channel");
-- 
2.31.1