juneau-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Bognar (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (JUNEAU-67) Create security documentation
Date Sat, 23 Dec 2017 16:49:00 GMT

     [ https://issues.apache.org/jira/browse/JUNEAU-67?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

James Bognar resolved JUNEAU-67.
--------------------------------
       Resolution: Fixed
         Assignee: James Bognar
    Fix Version/s: 7.0.1

> Create security documentation
> -----------------------------
>
>                 Key: JUNEAU-67
>                 URL: https://issues.apache.org/jira/browse/JUNEAU-67
>             Project: Juneau
>          Issue Type: Bug
>          Components: Documentation
>    Affects Versions: 7.0.0
>            Reporter: James Bognar
>            Assignee: James Bognar
>             Fix For: 7.0.1
>
>
> Create documentation on security-related topics such as shown here:
> http://x-stream.github.io/security.html#validation
> Here's some initial "stuff":
> As a rule though, it is impossible to create arbitrary POJOs through manipulation of
the input.  i.e. there is no "_class" attribute where you can pass in arbitrary class names.
 
> When you parse input, you have to specify the POJO class you want constructed (e.g. parser.parse(input,
MyBean.class)).  So only classes that exist within that POJO "tree" will be instantiated.
> We do have the concept of type dictionaries where "_type" attributes are added to the
output to identify classes.  It's similar to "_class", but you must explicitly specify the
type name mappings programmatically on the parser instance (e.g. 'MyBean' -> com.foo.MyBean.class)
or via annotations defined on interface or abstract classes.  
> For example, if we added the following annotation to our bean class....
>    @Bean(typeName='MyBean')
>    public class MyBean {...}
> ...then it would get serialized like so....
>    {
>       _type:'MyBean',
>       myField:123
>    }
> ...and would be parsed back into the original bean type like so...
>    // Create a parser aware of the MyBean class.
>    Parser parser = JsonParser.create().beanDictionary(MyBean.class).build();
>    // Parse our input above to create a MyBean instance even though we're asking for
a general Object.
>    MyBean myBean = (MyBean)parser.parse(input, Object.class);
> We DO have JsoSerializer and JsoParser classes that use Java-Serialized-Object serialization,
and these are subject to injection attacks, but we make clear in the javadocs that you must
be very careful if you want to use them.  We exclude them from the list of default serializers
and parsers on the REST classes.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message