Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Security framework of XStream not initialized, XStream is probably vulnerable

Tags:

java

xstream

Security framework of XStream not initialized, XStream is probably vulnerable

I keep getting this console error in red while using XStream (1.4.10)

I tried the following:

XStream.setupDefaultSecurity(xs);

and

xs.addPermission(AnyTypePermission.ANY); xs.addPermission(NoTypePermission.NONE);

none of which got rid of it.

I do not need any fancy security settings, I just want to silence that warning. Maybe also prepare the code for 1.5.x

like image 925
Georgian Avatar asked Jun 22 '17 11:06

Georgian

3 Answers

When dealing with security issues, I wouldn't take it lightly. Firstly one would understand the severity of the issue, here a good write up or another one.

Then find out how people recommend the solution. The good place to start is from xstream website itself. There is an example which you can use as a starting point on xstream security page.

This would be my set up which basically allows most of your code.

XStream xstream = new XStream();
// clear out existing permissions and set own ones
xstream.addPermission(NoTypePermission.NONE);
// allow some basics
xstream.addPermission(NullPermission.NULL);
xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
xstream.allowTypeHierarchy(Collection.class);
// allow any type from the same package
xstream.allowTypesByWildcard(new String[] {
    "com.your.package.**"
});

However, after diving more into their source code, this is my take:

XStream.setupDefaultSecurity(this); // to be removed after 1.5
xstream.allowTypesByWildcard(new String[] {
    "com.your.package.**"
});

So essentially, you will need just one line once upgrading to 1.5.

Please note that you may need more wild cards to suit your application deserialization scenarios. This is not a one-size-fit-all answer but rather a good starting point IMHO.

like image 176
t7tran Avatar answered Nov 12 '22 12:11

t7tran

I had the same "problem" and solved it by allowing the relevant types:

Class<?>[] classes = new Class[] { ABC.class, XYZ.class };
XStream xStream = new XStream();
XStream.setupDefaultSecurity(xStream);
xStream.allowTypes(classes);

Maybe this also helps in your case.

Good luck!

like image 24
JEEUser0815 Avatar answered Nov 12 '22 12:11

JEEUser0815

It also works by specifying an all-inclusive pattern for allowed classes:

xstream.allowTypesByRegExp(new String[] { ".*" });
like image 2
Lolo Avatar answered Nov 12 '22 11:11

Lolo
Sign in to Comment

Related questions

Java-8: boolean primitive array to stream?
In Spring what is the difference between @Profile and @ActiveProfiles
What are @JsonTypeInfo and @JsonSubTypes used for in jackson
How can I have case insensitive URLS in Spring MVC with annotated mappings
Is it good to set the max and min JVM heap size the same?
How to override/extend an inner class from a subclass?
Singleton lazy vs eager instantiation
Reason for the existence of non-short-circuit logical operators
Converting TimeUnit to ChronoUnit?
Android - onRequestPermissionsResult() is deprecated. Are there any alternatives?
Naming convention for getters/setters in Java
Eclipse always Building workspace
Mocking Apache HTTPClient using Mockito
maven: How to add resources which are generated after compilation phase
Create URL from a String
How to specify validation group for @Valid?
Eclipse with Lombok - search for getter and setter usages
Running liquibase within Java code
Continuous testing with IntelliJ Idea
Google Protobuf ByteString vs. Byte[]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!