XStream warning on 3.10.1 and 3.11.0

[jonbartels]

ERROR 2021-07-22 19:00:19,021 [Main Server Thread] Server: Security framework of XStream not initialized, XStream is probably vulnerable.

https://stackoverflow.com/a/45152845/228371 has a quick reference and links to detailed information.

My discussion here is - How can I write this up as an effective issue (or maybe even a PR)? I think the scope would be to find places where MC initializes XStream. Then for those instances or usages then define the correct scope for com.mirth classes which should be (de)serialized by XStream.

[narupley]

Just to confirm, is that happening because you're using the Mirth Results v2 (Results CDR) extension? Or is it still happening in other cases? We have a ticket we're working on for this right now actually, but I think it's only happening because of something inside the Mirth Results JARs that get downloaded. We do initialize XStream, but my guess is those libraries are somehow resetting it, or creating new instances of XStream that are not initialized.

[jonbartels]

To my immediate knowledge, this is on a fresh install of MC 3.10.1 and 3.11.0 without any extensions from any vendor. I'll double check that with the engineer that showed me the error.

We can rule out MR - this wasn't in an environment where MR is in play. FWIW I vaguely remember this coming up in MR sometime when Dan K. and I were working on that product but I don't recall the exact issue or when.

I observe in MC that XStream in MC is wrapped by the Donkey XStreamSerializer and does set up permissions which should handle this warning at

connect/donkey/src/main/java/com/mirth/connect/donkey/util/xstream/XStreamSerializer.java

Line 73 in 0a5c52f

xstream.addPermission(AnyTypePermission.ANY);

. That does seem like a local issue with some custom library in my environment. D'oh!

[jonbartels]

FWIW I cloned https://github.com/x-stream/xstream and checked out the 1.4.7 tag. I can't find where that specific error string is coming from in XStream in that older version.

I have an MC related project here that uses XStream 1.4.12 where that error appears in https://github.com/x-stream/xstream/blob/6ec37c8d0129ce73d3264958d1deb38eeb08eea5/xstream/src/java/com/thoughtworks/xstream/XStream.java#L1485 . This project uses that newer version of XStream to stay in line with MC 3.10.0 and newer which also uses XStream 1.4.12.

Does that sound similar to the issue NG is chasing internally with MR libraries in MC?

(Sorry for the edits. I was digging on the issue while replying)

[jonbartels]

We fixed this our code by setting addPermission(AnyTypePermission.ANY); . HTH!