1. 技术文章
  2. Security framework of XStream not initialized, XStream is probably vulnerable

Security framework of XStream not initialized, XStream is probably vulnerable

浪尽此生 提交于 2019-11-30 17:16:50

When dealing with security issues, I wouldn't take it lightly. Firstly one would understand the severity of the issue, here a good write up.

Then find out how people recommend the solution. The good place to start is from xstream website itself. There is an example which you can use as a starting point on xstream security page.

This would be my set up which basically allows most of your code.

XStream xstream = new XStream();
// clear out existing permissions and set own ones
xstream.addPermission(NoTypePermission.NONE);
// allow some basics
xstream.addPermission(NullPermission.NULL);
xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
xstream.allowTypeHierarchy(Collection.class);
// allow any type from the same package
xstream.allowTypesByWildcard(new String[] {
    "com.your.package.**"
});

However, after diving more into their source code, this is my take:

XStream.setupDefaultSecurity(this); // to be removed after 1.5
xstream.allowTypesByWildcard(new String[] {
    "com.your.package.**"
});

So essentially, you will need just one line once upgrading to 1.5.

Please note that you may need more wild cards to suit your application deserialization scenarios. This is not a one-size-fit-all answer but rather a good starting point IMHO.

I had the same "problem" and solved it by allowing the relevant types:

Class<?>[] classes = new Class[] { ABC.class, XYZ.class };
XStream xStream = new XStream();
XStream.setupDefaultSecurity(xStream);
xStream.allowTypes(classes);

Maybe this also helps in your case.

Good luck!

It also works by specifying an all-inclusive pattern for allowed classes:

xstream.allowTypesByRegExp(new String[] { ".*" });
标签
java
xstream
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!