-
Notifications
You must be signed in to change notification settings - Fork 784
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump xstream from 1.4.17 to 1.4.18 #1917
Bump xstream from 1.4.17 to 1.4.18 #1917
Conversation
Bumps [xstream](https://github.com/x-stream/xstream) from 1.4.17 to 1.4.18. - [Release notes](https://github.com/x-stream/xstream/releases) - [Commits](https://github.com/x-stream/xstream/commits) --- updated-dependencies: - dependency-name: com.thoughtworks.xstream:xstream dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me 👍
With version 1.4.18 of XStream, unspecified types are no longer supported by default in XStream (as described in their release notes here: https://x-stream.github.io/changes.html#1.4.18). To keep XStream as the default serializer, at least Axon's types should be included by default. Users should also be able to disable this default if required. #1917
- Update code style of touched files - Fix warnings - Fix typos #1917
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Remove unused eq() invocation #1917
Kudos, SonarCloud Quality Gate passed! |
Hi all, Just as a heads up. Xstream changed the security mechanism in 1.4.18 due to a CVE and it is causing regression in projects using Axon and Spring. x-stream/xstream#264 Might be interesting to check out these discussions as well. |
Hi @sanderino666 , thanks for the heads-up. We are aware of the discussions around XStream's security changes. Axon doesn't do much in terms of XStream configuration (basically leaving it to defaults). Basically, the default has changed from "allow all unless specified" to "reject all unless specified". That means the configuration should also be modified. We're currently discussing how we can make the impact of this change minimal. Not upgrading is not an option, since security should be everyone's no1 priority. Serializers are components at the edge of an application, and simply need to be secure. So we prefer to go along with the "keep it closed by default", but that would indeed mean a breaking change for existing users... |
Hi @abuijze,
Completely agree! I can easily reproduce the issue so if you need me to test on a snapshot, let me know, |
…tworks.xstream-xstream-1.4.18
Adjust the XStreamSerializer to no longer set a default XStream instance Also deprecate the defaultSerializer method, stating the security warning shared by XStream. #1917
Add a xstream version property and use it for the messaging package. Also update the autoconfiguration package to have an optional XStream dependency #1917
Remove the default XStreamSerializer from the JPA and JDBC storage engine implementations. The tests should be adjusted to use a secure XStreamSerializer. The Javadoc should be adjusted accordingly. #1917
Remove the default XStreamSerializer from the QuartzDeadlineManager and QuartzEventScheduler #1917
Remove the default XStreamSerializer from the JpaSagaStore and JdbcSagaStore implementations. Adjusts the tests to use a secured version of XStream on an XStreamSerializer. Update the JavaDoc accordingly. #1917
Set a secured XStreamSerializer through the TestSerializer #1917
Set a secured XStreamSerializer through the TestSerializer #1917
Set an XStream instance for the XStreamSerializer. Using the XStreamSerializer default configuration to secure axon components is sufficient. #1917
Add more default aliases to the AbstractXStreamSerializer, for queries, results and deadlines. #1917
Remove the default XStreamSerializer from the AxonServerEventScheduler and AxonServerEventStore. Also ensure a working XStreamSerializer is provided through the TestSerializer for every test class utilizing serialization. #1917
Update the used XStreamSerializer to ascertain that it uses a dedicated XStream instance. #1917
Introduce an XStreamAutoConfiguration, that checks for the ComponentScan annotated beans to deduce what the base packages and classes are to add to the security context of an XStream instance. Use this XStream instance when constructing the XStreamSerializer, if it has been configured to be used. #1917
To isolate the logic and to simplify testing, move the ComponentScan searching logic from the XStreamAutoConfiguration to a XStreamSecurityTypeUtility. #1917
Add test case that validates spring boot application properties are also taken into account. #1917
Add builders tests to please coverage #1917
…n/axon-4.5.x/com.thoughtworks.xstream-xstream-1.4.18 # Conflicts: # modelling/src/main/java/org/axonframework/modelling/saga/repository/jpa/JpaSagaStore.java
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are a couple of other tests where we could use a TestSerializer
as well but I saw all of that as a nit.
Little thing to not forget, as we talked, is to have a dedicated section on our release notes about the 'braking changes' we are forced to make because of it.
config/src/test/java/org/axonframework/config/DefaultConfigurerTest.java
Outdated
Show resolved
Hide resolved
legacy/src/test/java/org/axonframework/commandhandling/model/AggregateScopeDescriptorTest.java
Outdated
Show resolved
Hide resolved
legacy/src/test/java/org/axonframework/eventhandling/saga/SagaScopeDescriptorTest.java
Outdated
Show resolved
Hide resolved
…rTest.java Co-authored-by: Lucas Campos <lfgcampos@gmail.com>
Introduce TestSerializer to be used for legacy tests. #1917
…thoughtworks.xstream-xstream-1.4.18' into dependabot/maven/axon-4.5.x/com.thoughtworks.xstream-xstream-1.4.18
To not give a breaking change to users, we return the XStreamSerializer. Whenever the default is used though, we throw a warning stating the users should set the security context consciously. #1917
Allow all types on the defaultSerializer, by allowing all implementation of Object. Log a warning for the user that this isn't secure at all! #1917
SonarCloud Quality Gate failed. |
Sonar complains about unreached new loglines. As we're not in the habit of validating log lines, we will ignore the coverage level warning. Furthermore, @abuijze and I verbally reviewed this pull request. Hence, approval from his end is added to this resolution. |
Bumps xstream from 1.4.17 to 1.4.18.
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after your CI passes on it@dependabot squash and merge
will squash and merge this PR after your CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block automerging@dependabot reopen
will reopen this PR if it is closed@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)