StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POMalicious object injection with xstream
text
Body
copied!<p>Can I safely use XStream to process XML coming from outside of my system ? What's the best practice when dealing with "potentially malicious XML" using xstream ?</p> <p>Let's say, I have a class somewhere in my code like this :</p> <pre><code> package hazard; class Dangerous { public Dangerous() { AtomicBomb.getInstance().nuke(); } } </code></pre> <p>A malicious user, might submit a XML file such as :</p> <pre><code> <hazard.Dangerous/> </code></pre> <p>and make XStream calls the nuke() method.</p> <p>This example is quite theoretical. As was pointed out, I do not expect constructor to do this kind of things. But can I be certain that no constructor in any lib available in the classpath is free from such issues (for example, allocate some ressource like a file descriptor).</p> <p>The point is that sending a XML file allows an attacker to create arbitrary objects. A more realistic approach might be using some class instead of another one.</p> <pre><code>public class Foo<T implements Bar> { private T t; // Getters/setters ... } public interface Bar { public void bar(); } public class Bar1 implements Bar { // ... } public class Bar2 implements Bar { // ... } </code></pre> <p>With the (malicious) XML input :</p> <pre><code><foo>  <package.Bar2/> </foo> </code></pre> <p>Now with the Java code :</p> <pre><code>Bar<Foo1> bar = (Bar<Foo1>) xstream.fromXML(xml); // I expect to have a bar1 but I have a bar2. bar.getT().foo(); </code></pre> <p>At first glance, the solution is to provide a custom Mapper (the job being done in the realClass() method).</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload