All geek questions in one place

Vulnerability Alert Using XStreamMarshaller

When using XStreamMarshaller with spring package, I get the following message:

Security framework of XStream not initialized, XStream is probably vulnerable.

First attempt: According to the documentation, I tried to reset all permissions, but I still have the same message. In addition, I do not have a security error when parsing XML files ... Therefore, I believe that this code simply does not work. Here's a sample code:

 XStreamMarshaller marshaller = new XStreamMarshaller(); marshaller.getXStream().addPermission(NoTypePermission.NONE);

Second attempt: I also tried using the setSupportedClasses method, but it does not work (I still get a vulnerability message and unsupported classes are still unmarked correctly):

 XStreamMarshaller marshaller = new XStreamMarshaller(); marshaller.setSupportedClasses(FooBar.class);

How to set security permissions using XStreamMarshaller?

Note: according to this thread , the Security Framework was introduced with 1.4.7, and it is still optional .... But it will be mandatory for XStream 1.5.0!

Used version of XStream: 1.4.10

Spring Version Lot Used: 4.0.1

For information, I use spring boot (but I'm not sure if this is relevant here)

+5
source share
3 answers

Solution for the first attempt:

The reason it doesn't work is because XStreamMarshaller creates an instance of the afterPropertiesSet using afterPropertiesSet without checking that it is already created, so we cannot use getXStream() in the @Bean method. To make this work, we can, for example, set up a security configuration by entering a marshaller in another bean:

 @Configuration public class JobSecurityConfig { public JobSecurityConfig(XStreamMarshaller marshaller) { XStream xstream = marshaller.getXStream(); XStream.setupDefaultSecurity(xstream); xstream.allowTypes(new Class[]{Bar.class}); } }

Another solution: XSreamMarshaller extension

You can also extend XStreamMarshaller and override only the customizeXStream() method to set the security configuration.

  @Override protected void customizeXStream(XStream xstream) { XStream.setupDefaultSecurity(xstream); xstream.allowTypes(new Class[]{Bar.class}); }

Why the "Second Attempt" does not work:

setSupportedClasses used only for sorting !! .. StaxEventItemReader does not care about supported classes!

+3
source

The Xstream website provided information about the Security Framework Security Framework .

below are ways to grant security permissions

 XStream.addPermission(TypePermission); XStream.allowTypes(Class[]); XStream.allowTypes(String[]); XStream.allowTypesByRegExp(String[]); XStream.allowTypesByRegExp(Pattern[]); XStream.allowTypesByWildcard(String[]); XStream.allowTypeHierary(Class); XStream.denyPermission(TypePermission); XStream.denyTypes(Class[]); XStream.denyTypes(String[]); XStream.denyTypesByRegExp(String[]); XStream.denyTypesByRegExp(Pattern[]); XStream.denyTypesByWildcard(String[]); XStream.denyTypeHierary(Class);

You can also link to this tutorial.

I hope this helps

+1
source

From the official spring docs :

By default, XStream allows you to randomly sort arbitrary classes, which can lead to unsafe effects of Java serialization. Therefore, it is not recommended to use XStreamMarshaller to demonstrate XML from external sources (i.e. the Internet), as this can lead to a security vulnerability.

You are using spring abstraction of XStreamMarshaller to interact with the XStream library. By default, the library can marshall / unmarshall arbitrary classes (including from an external web source).

If you do not (working with classes from external web sources), you can simply ignore the message.

If you want to delete the message, follow the recommendations of the spring white paper (linked above) and the XStream website ( security configuration example ).

It comes down to setting up supported classes to make sure that only registered classes have the right to unmark.

This property is empty by default, which means support for all classes means a warning message appears.

+1
source

Source: https://habr.com/ru/post/1276037/

More articles:


All Articles