juneau-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lukasz Lenart"<lukaszlen...@apache.org>
Subject Re: Security
Date Fri, 10 Nov 2017 07:19:02 GMT
Great, thanks a lot :)

Kind regards
--
Lukasz

On 2017-11-09 23:23, James Bognar <jamesbognar@apache.org> wrote: 
> Hi Lukasz,
> 
> I'll have to write such an article.
> 
> As a rule though, it is impossible to create arbitrary POJOs through
> manipulation of the input.  i.e. there is no "_class" attribute where you
> can pass in arbitrary class names.
> 
> When you parse input, you have to specify the POJO class you want
> constructed (e.g. parser.parse(input, MyBean.class)).  So only classes that
> exist within that POJO "tree" will be instantiated.
> 
> We do have the concept of type dictionaries where "_type" attributes are
> added to the output to identify classes.  It's similar to "_class", but you
> must explicitly specify the type name mappings programmatically on the
> parser instance (e.g. 'MyBean' -> com.foo.MyBean.class) or via annotations
> defined on interface or abstract classes.
> 
> For example, if we added the following annotation to our bean class....
>    @Bean(typeName='MyBean')
>    public class MyBean {...}
> 
> ...then it would get serialized like so....
>    {
>       _type:'MyBean',
>       myField:123
>    }
> 
> ...and would be parsed back into the original bean type like so...
> 
>    // Create a parser aware of the MyBean class.
>    Parser parser = JsonParser.create().beanDictionary(MyBean.class).build();
> 
>    // Parse our input above to create a MyBean instance even though we're
> asking for a general Object.
>    MyBean myBean = (MyBean)parser.parse(input, Object.class);
> 
> 
> We DO have JsoSerializer and JsoParser classes that use
> Java-Serialized-Object serialization, and these are subject to injection
> attacks, but we make clear in the javadocs that you must be very careful if
> you want to use them.  We exclude them from the list of default serializers
> and parsers on the REST classes.
> 
> 
> On Thu, Nov 9, 2017 at 8:56 AM, Lukasz Lenart <lukaszlenart@apache.org>
> wrote:
> 
> > Hi,
> >
> > I didn't find any note about security, i.e. how to avoid known XML
> > serialisation vulnerabilities, something like this:
> >
> > http://x-stream.github.io/security.html#validation
> >
> > Best
> > --
> > Lukasz
> >
> 

Mime
View raw message