juneau-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Bognar (JIRA)" <j...@apache.org>
Subject [jira] [Created] (JUNEAU-67) Create security documentation
Date Fri, 10 Nov 2017 17:50:00 GMT
James Bognar created JUNEAU-67:
----------------------------------

             Summary: Create security documentation
                 Key: JUNEAU-67
                 URL: https://issues.apache.org/jira/browse/JUNEAU-67
             Project: Juneau
          Issue Type: Bug
          Components: Documentation
    Affects Versions: 7.0.0
            Reporter: James Bognar


Create documentation on security-related topics such as shown here:

http://x-stream.github.io/security.html#validation

Here's some initial "stuff":

As a rule though, it is impossible to create arbitrary POJOs through manipulation of the input.
 i.e. there is no "_class" attribute where you can pass in arbitrary class names.  

When you parse input, you have to specify the POJO class you want constructed (e.g. parser.parse(input,
MyBean.class)).  So only classes that exist within that POJO "tree" will be instantiated.

We do have the concept of type dictionaries where "_type" attributes are added to the output
to identify classes.  It's similar to "_class", but you must explicitly specify the type name
mappings programmatically on the parser instance (e.g. 'MyBean' -> com.foo.MyBean.class)
or via annotations defined on interface or abstract classes.  

For example, if we added the following annotation to our bean class....
   @Bean(typeName='MyBean')
   public class MyBean {...}

...then it would get serialized like so....
   {
      _type:'MyBean',
      myField:123
   }

...and would be parsed back into the original bean type like so...

   // Create a parser aware of the MyBean class.
   Parser parser = JsonParser.create().beanDictionary(MyBean.class).build();

   // Parse our input above to create a MyBean instance even though we're asking for a general
Object.
   MyBean myBean = (MyBean)parser.parse(input, Object.class);


We DO have JsoSerializer and JsoParser classes that use Java-Serialized-Object serialization,
and these are subject to injection attacks, but we make clear in the javadocs that you must
be very careful if you want to use them.  We exclude them from the list of default serializers
and parsers on the REST classes.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message