TRUNK-6188 Upgrade xstream and migrate to whitelisting

[rkorytkowski]

Description of what I changed

Issue I worked on

see https://issues.openmrs.org/browse/TRUNK-6188

Checklist: I completed these to help reviewers :)

• My IDE is configured to follow the code style of this project.

  No? Unsure? -> configure your IDE, format the code and add the changes with git add . && git commit --amend

• I have added tests to cover my changes. (If you refactored
  existing code that was well tested you do not have to add tests)

  No? -> write tests and add them to this commit git add . && git commit --amend

• I ran mvn clean package right before creating this pull request and
  added all formatting changes to my commit.

  No? -> execute above command

• All new and existing tests passed.

  No? -> figure out why and add the fix to your commit. It is your responsibility to make sure your code works.

• My pull request is based on the latest changes of the master branch.

  No? Unsure? -> execute command git pull --rebase upstream master

[rkorytkowski]

Please let me handle the merge and back-porting after reviews are done.

[ibacher]

So, one of the things we'd ideally want to prevent is serializing or deserializing org.openmrs.util.OpenmrsClassLoader.

What would you think of a rule like:

xstream.allowTypeHierachy(OpenmrsObject.class);
// may be others, but these are the common exceptions to the above:
xstream.allowTypes(LayoutTemplate.class, ComplexData.class);

[rkorytkowski]

Yeah, I was thinking of any classes that may be risky in org.openmrs, but I didn't come up with an obvious OpenmrsClassLoader... It seems that it may be better indeed to be less permissive and do as you suggested. I'll need to check what is needed for the Reporting module so that most obvious use cases are covered out of the box.

[mseaton]

Generally looks good to me @rkorytkowski . Made a few comments.

[mseaton]

Why add this here, if we are also adding this as a hard-coded value within the getSerializerWhitelistTypes method? Can we just add the fixed, hard-coded values in one place?

[rkorytkowski]

It's duplicated in cases when adminService is not passed so we still have some basic setup. I'll move that line to the else statement just to be explicit with the intention.

[mseaton]

Can we rename this to just clearly distinguish between this private member variable and the xstream argument passed into the static methods below?

[rkorytkowski]

Renamed arguments in methods instead.

[rkorytkowski]

@ibacher updated to use a hierarchy of common types.

[github-actions]

tl;dr our action detected no activity on this PR and will close it in 30 days if the stale label is not removed.

OpenMRS welcomes your contribution! It means a lot to us that you want to contribute to equity in healthcare!

This PR has not seen any activity in the last 5 months. That is why we wanted to check whether you are still working on it or need assistance from our side.
Please note that this is an automated message and we might very well be the reason why there has not been any activity lately. We certainly do not want to discourage you from contributing. We do need to be honest in that OpenMRS has limited resources for reviewing PRs.

If you do not have time to continue the work or have moved on you don’t need to do anything. We will automatically close the PR in 30 days. We hope to see you back soon :)
If you would like to continue working on it or require help from us please remove the stale label and respond by commenting on the issue.

[github-actions]

tl;dr our action detected no activity on this PR and will close it in 30 days if the stale label is not removed.

OpenMRS welcomes your contribution! It means a lot to us that you want to contribute to equity in healthcare!

This PR has not seen any activity in the last 5 months. That is why we wanted to check whether you are still working on it or need assistance from our side.
Please note that this is an automated message and we might very well be the reason why there has not been any activity lately. We certainly do not want to discourage you from contributing. We do need to be honest in that OpenMRS has limited resources for reviewing PRs.

If you do not have time to continue the work or have moved on you don’t need to do anything. We will automatically close the PR in 30 days. We hope to see you back soon :)
If you would like to continue working on it or require help from us please remove the stale label and respond by commenting on the issue.

[dkayiwa]

@ibacher do we have a strategy for this? Because after merging this, the reference application fails with errors like you can see here: qa-refapp.openmrs.org

[ibacher]

@dkayiwa That was definitely a risk with this PR, but getting on XStream whitelisting seemed like a must-have. The error on the qa-refapp seems to be this:

WARN - ModuleUtil.refreshApplicationContext(901) |2024-08-06T16:21:11,228| Unable to invoke started() method on the module's activator
org.openmrs.module.ModuleException: Failed to load MDS packages
at org.openmrs.module.referencemetadata.ReferenceMetadataActivator.installMetadataPackages(ReferenceMetadataActivator.java:143) ~[referencemetadata-api-2.14.0-SNAPSHOT.jar:?]
...
Caused by: com.thoughtworks.xstream.security.ForbiddenClassException: org.openmrs.module.emrapi.metadata.MetadataPackagesConfig
...
at org.openmrs.module.emrapi.utils.MetadataUtil.getMetadataPackagesForModule(MetadataUtil.java:144) ~[emrapi.jar:?]
at org.openmrs.module.emrapi.utils.MetadataUtil.setupStandardMetadata(MetadataUtil.java:77) ~[emrapi.jar:?]

So the ReferenceMetadataActivator is failing causing the RefApp module not to start, etc.

The mechanism this PR has for modules that need to extend the supported types is to add a GP like the one in this test that ends with .serializer.whitelist.types. It seems like that needs to include the MetadataPackagesConfig type. I don't see any other places in that module that invoke the XStream deserializer.

We can, however, find other places in code we're using it via this search. It looks like the other module that will need work is openmrs-module-reportingcompatibility.

[rkorytkowski]

We need to revert this one. I'm sorry I haven't marked it as not yet ready for merging explicitly. I didn't mean it be merged before modules are adjusted. I'll get back to this in 2 weeks and fix what's needed.

[ibacher]

Here's a PR that should fix the issue with the EMRAPI part of things.