juneau-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Bognar <jamesbog...@apache.org>
Subject Re: Security
Date Thu, 09 Nov 2017 22:23:21 GMT
Hi Lukasz,

I'll have to write such an article.

As a rule though, it is impossible to create arbitrary POJOs through
manipulation of the input.  i.e. there is no "_class" attribute where you
can pass in arbitrary class names.

When you parse input, you have to specify the POJO class you want
constructed (e.g. parser.parse(input, MyBean.class)).  So only classes that
exist within that POJO "tree" will be instantiated.

We do have the concept of type dictionaries where "_type" attributes are
added to the output to identify classes.  It's similar to "_class", but you
must explicitly specify the type name mappings programmatically on the
parser instance (e.g. 'MyBean' -> com.foo.MyBean.class) or via annotations
defined on interface or abstract classes.

For example, if we added the following annotation to our bean class....
   public class MyBean {...}

...then it would get serialized like so....

...and would be parsed back into the original bean type like so...

   // Create a parser aware of the MyBean class.
   Parser parser = JsonParser.create().beanDictionary(MyBean.class).build();

   // Parse our input above to create a MyBean instance even though we're
asking for a general Object.
   MyBean myBean = (MyBean)parser.parse(input, Object.class);

We DO have JsoSerializer and JsoParser classes that use
Java-Serialized-Object serialization, and these are subject to injection
attacks, but we make clear in the javadocs that you must be very careful if
you want to use them.  We exclude them from the list of default serializers
and parsers on the REST classes.

On Thu, Nov 9, 2017 at 8:56 AM, Lukasz Lenart <lukaszlenart@apache.org>

> Hi,
> I didn't find any note about security, i.e. how to avoid known XML
> serialisation vulnerabilities, something like this:
> http://x-stream.github.io/security.html#validation
> Best
> --
> Lukasz

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message