Vulnerability warning with XStreamMarshaller

Question

When using a XStreamMarshaller with spring batch, I get the following message:

Security framework of XStream not initialized, XStream is probably vulnerable.

First try: According to the documentation, I've tried to reset all permissions, but I still have the same message. Besides, I have no security error when parsing XML files... So I think that this code just doen't work. Here's a sample of code:

XStreamMarshaller marshaller = new XStreamMarshaller();
marshaller.getXStream().addPermission(NoTypePermission.NONE);

Second try: I have also tried with the setSupportedClasses method, but it doesn't work either (I still get the vulnerability message and not supported classes are still unmarshelled correctly):

XStreamMarshaller marshaller = new XStreamMarshaller();
marshaller.setSupportedClasses(FooBar.class);

How can I set security permissions with XStreamMarshaller?

Note: according to this thread, the Security Framework was introduced with 1.4.7 and it is still not mandatory.... But it will be mandatory for XStream 1.5.0!

Version of XStream used: 1.4.10

Version of Spring Batch used: 4.0.1

For information, I'm using Spring Boot (but I'm not sure it's relevant here)

which version of XStream are you using? – hovanessyan Apr 01 '18 at 08:02 — hovanessyan, Apr 01 '18 at 08:02
true! this check was added in 1.4.10 – Gaurav May 21 '20 at 10:13 — Gaurav, May 21 '20 at 10:13

Nicolas · Accepted Answer · 2018-04-05T10:06:43.100

Solution for the 'First Try':

The reason why it didn't work is that XStreamMarshaller instantiates a xstream object with afterPropertiesSet without checking if one have already been created, so we can't use getXStream() in a @Bean method. To make this work, we can for example set security config while injecting the marshaller in another bean:

@Configuration
public class JobSecurityConfig {

    public JobSecurityConfig(XStreamMarshaller marshaller) {
        XStream xstream = marshaller.getXStream();
        XStream.setupDefaultSecurity(xstream);
        xstream.allowTypes(new Class[]{Bar.class});
    }

}

Another solution: extend XSreamMarshaller

You can also extend XStreamMarshaller and override only the customizeXStream() method to set security configuration.

    @Override
    protected void customizeXStream(XStream xstream) {
        XStream.setupDefaultSecurity(xstream);
        xstream.allowTypes(new Class[]{Bar.class});
    }

Why the 'Second Try' doesn't work:

setSupportedClasses is only used on marshalling!!.. StaxEventItemReader doesn't care about supported classes!

score 1 · Answer 2 · answered Mar 28 '18 at 10:38

1

Xstream website have provided details about the Security Framework Security Framework.

below method are provided to set Security permissions

XStream.addPermission(TypePermission);
XStream.allowTypes(Class[]);
XStream.allowTypes(String[]);
XStream.allowTypesByRegExp(String[]);
XStream.allowTypesByRegExp(Pattern[]);
XStream.allowTypesByWildcard(String[]);
XStream.allowTypeHierary(Class);
XStream.denyPermission(TypePermission);
XStream.denyTypes(Class[]);
XStream.denyTypes(String[]);
XStream.denyTypesByRegExp(String[]);
XStream.denyTypesByRegExp(Pattern[]);
XStream.denyTypesByWildcard(String[]);
XStream.denyTypeHierary(Class);

You can also refer this Tutorial

I hope this helps

answered Mar 28 '18 at 10:38

Niraj Sonawane

10,225
10
75
104

2

Thoses methods are not static, you need a reference on an XStream object. You can get it with marshaller.getXStream()... But as I said, addPermission doesn't seem to work. – Nicolas Mar 29 '18 at 14:31
Generally, links [should be accompanied by usage notes, a specific explanation of how the linked resource is applicable to the problem, and some sample code](//meta.stackoverflow.com/a/251605/584192). – Samuel Liew Dec 02 '18 at 02:10

score 1 · Answer 3 · answered Apr 01 '18 at 08:40

From the official spring docs:

By default, XStream allows for arbitrary classes to be unmarshalled, which can lead to unsafe Java serialization effects. As such, it is not recommended to use the XStreamMarshaller to unmarshal XML from external sources (i.e. the Web), as this can result in security vulnerabilities.

You're using Spring's abstraction XStreamMarshaller to interface with the XStream library. By default the library can marshall/unmarshall arbitrary classes (including from external web source).

If you are not doing that (working with classes from external web sources) you can simply ignore the message.

If you want to remove the message follow what's recommended in Spring's official doc (linked above) and XStream website (security config example).

It boils down to setting up supported classes to make sure only the registered classes are eligible for unmarshalling.

This property is empty by default, which means - support all classes - hence the warning message you're getting.

As I said in the original message, I can't get the XStream documentation to work. I had also tried with `setSupportedClasses`, but it doesn't work either. I've even tried to support only classes not related to my model, and I still get the vulnerability message, and my xml is still unmarshelled correctly. — Nicolas, Apr 03 '18 at 09:29

Vulnerability warning with XStreamMarshaller

3 Answers3