Spring XStreamMarshaller unmarshall failing with xstream version upgrade to 1.4.18

Affects: \<5.3.4> We are using XStreamMarshaller from spring-oxm, for unmarshalling. When trying xstream version upgrade to 1.4.18 because of vulnerability we are facing below issue.

---- Debugging information ----
cause-exception : com.thoughtworks.xstream.security.ForbiddenClassException
cause-message : com.our.class
class : java.util.ArrayList
required-type : java.util.ArrayList
converter-type : com.thoughtworks.xstream.converters.collections.CollectionConverter
path : /list/com.our.class
line number : 1
version : 5.3.4

How we are using the XStreamMarshaller

List<HttpMessageConverter<?>> messageConverters = new ArrayList<HttpMessageConverter<?>>();
        MarshallingHttpMessageConverter marshallingHttpConverter = new MarshallingHttpMessageConverter(**customizeXStreamMarshaller**());
        marshallingHttpConverter.setSupportedMediaTypes(Arrays.asList(MediaType.APPLICATION_XML));
        messageConverters.add(marshallingHttpConverter);

    private XStreamMarshaller **customizeXStreamMarshaller**() {
        return new XStreamMarshaller() {
            @Override
            protected void customizeXStream(XStream xstream) {
                xstream.denyTypes(new Class[] {void.class, Void.class});
            }
        };
    }

Is there any way to resolve this issue?

Thanks, Vijay

Comment From: jhoeller

This is not caused by Spring's XStream integration but rather by XStream 1.4.18 itself, so to be closed on this issue tracker.

Since we're facing similar issues in our own test suite when upgrading to XStream 1.4.18: XStream seems to append such deny permissions to its default NoTypePermission, so it's not actually making a difference (since custom types are denied by default anyway). Doing an explicit xstream.addPermission(new AnyTypePermission()); first wipes the existing type setup to allow any types by default, then potentially adding types to deny (if everything except for your denied types is supposed to be allowed).

For further help, please reach out to the XStream project or ask on StackOverflow.

Comment From: sagga001

@vijayanandof It seems this discussion is closed already.On Xstream they say we need to check on spring forum and on Spring forum its reverse..Any way out anyone?