Vulnerability warning with XStreamMarshaller

Question

When using a XStreamMarshaller with spring batch, I get the following message:

Security framework of XStream not initialized, XStream is probably vulnerable.

First try: According to the documentation, I've tried to reset all permissions, but I still have the same message. Besides, I have no security error when parsing XML files... So I think that this code just doen't work. Here's a sample of code:

XStreamMarshaller marshaller = new XStreamMarshaller();
marshaller.getXStream().addPermission(NoTypePermission.NONE);

Second try: I have also tried with the setSupportedClasses method, but it doesn't work either (I still get the vulnerability message and not supported classes are still unmarshelled correctly):

XStreamMarshaller marshaller = new XStreamMarshaller();
marshaller.setSupportedClasses(FooBar.class);

How can I set security permissions with XStreamMarshaller?

Note: according to this thread, the Security Framework was introduced with 1.4.7 and it is still not mandatory.... But it will be mandatory for XStream 1.5.0!

Version of XStream used: 1.4.10

Version of Spring Batch used: 4.0.1

For information, I'm using Spring Boot (but I'm not sure it's relevant here)

Answer 1

Solution for the 'First Try':

The reason why it didn't work is that XStreamMarshaller instantiates a xstream object with afterPropertiesSet without checking if one have already been created, so we can't use getXStream() in a @Bean method. To make this work, we can for example set security config while injecting the marshaller in another bean:

@Configuration
public class JobSecurityConfig {

    public JobSecurityConfig(XStreamMarshaller marshaller) {
        XStream xstream = marshaller.getXStream();
        XStream.setupDefaultSecurity(xstream);
        xstream.allowTypes(new Class[]{Bar.class});
    }

}

Another solution: extend XSreamMarshaller

You can also extend XStreamMarshaller and override only the customizeXStream() method to set security configuration.

    @Override
    protected void customizeXStream(XStream xstream) {
        XStream.setupDefaultSecurity(xstream);
        xstream.allowTypes(new Class[]{Bar.class});
    }

Why the 'Second Try' doesn't work:

setSupportedClasses is only used on marshalling!!.. StaxEventItemReader doesn't care about supported classes!

Answer 2

Xstream website have provided details about the Security Framework Security Framework.

below method are provided to set Security permissions

XStream.addPermission(TypePermission);
XStream.allowTypes(Class[]);
XStream.allowTypes(String[]);
XStream.allowTypesByRegExp(String[]);
XStream.allowTypesByRegExp(Pattern[]);
XStream.allowTypesByWildcard(String[]);
XStream.allowTypeHierary(Class);
XStream.denyPermission(TypePermission);
XStream.denyTypes(Class[]);
XStream.denyTypes(String[]);
XStream.denyTypesByRegExp(String[]);
XStream.denyTypesByRegExp(Pattern[]);
XStream.denyTypesByWildcard(String[]);
XStream.denyTypeHierary(Class);

You can also refer this Tutorial

I hope this helps

Answer 3

From the official spring docs:

By default, XStream allows for arbitrary classes to be unmarshalled, which can lead to unsafe Java serialization effects. As such, it is not recommended to use the XStreamMarshaller to unmarshal XML from external sources (i.e. the Web), as this can result in security vulnerabilities.

You're using Spring's abstraction XStreamMarshaller to interface with the XStream library. By default the library can marshall/unmarshall arbitrary classes (including from external web source).

If you are not doing that (working with classes from external web sources) you can simply ignore the message.

If you want to remove the message follow what's recommended in Spring's official doc (linked above) and XStream website (security config example).

It boils down to setting up supported classes to make sure only the registered classes are eligible for unmarshalling.

This property is empty by default, which means - support all classes - hence the warning message you're getting.