Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security framework of XStream not initialized, XStream is probably vulnerable

Tags:

java

xstream

Security framework of XStream not initialized, XStream is probably vulnerable

I keep getting this console error in red while using XStream (1.4.10)

I tried the following:

XStream.setupDefaultSecurity(xs);

and

xs.addPermission(AnyTypePermission.ANY); xs.addPermission(NoTypePermission.NONE);

none of which got rid of it.

I do not need any fancy security settings, I just want to silence that warning. Maybe also prepare the code for 1.5.x

like image 925
Georgian Avatar asked Jun 22 '17 11:06

Georgian


3 Answers

When dealing with security issues, I wouldn't take it lightly. Firstly one would understand the severity of the issue, here a good write up or another one.

Then find out how people recommend the solution. The good place to start is from xstream website itself. There is an example which you can use as a starting point on xstream security page.

This would be my set up which basically allows most of your code.

XStream xstream = new XStream();
// clear out existing permissions and set own ones
xstream.addPermission(NoTypePermission.NONE);
// allow some basics
xstream.addPermission(NullPermission.NULL);
xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
xstream.allowTypeHierarchy(Collection.class);
// allow any type from the same package
xstream.allowTypesByWildcard(new String[] {
    "com.your.package.**"
});

However, after diving more into their source code, this is my take:

XStream.setupDefaultSecurity(this); // to be removed after 1.5
xstream.allowTypesByWildcard(new String[] {
    "com.your.package.**"
});

So essentially, you will need just one line once upgrading to 1.5.

Please note that you may need more wild cards to suit your application deserialization scenarios. This is not a one-size-fit-all answer but rather a good starting point IMHO.

like image 176
t7tran Avatar answered Nov 12 '22 12:11

t7tran


I had the same "problem" and solved it by allowing the relevant types:

Class<?>[] classes = new Class[] { ABC.class, XYZ.class };
XStream xStream = new XStream();
XStream.setupDefaultSecurity(xStream);
xStream.allowTypes(classes);

Maybe this also helps in your case.

Good luck!

like image 24
JEEUser0815 Avatar answered Nov 12 '22 12:11

JEEUser0815


It also works by specifying an all-inclusive pattern for allowed classes:

xstream.allowTypesByRegExp(new String[] { ".*" });
like image 2
Lolo Avatar answered Nov 12 '22 11:11

Lolo