Security framework of XStream not initialized, XStream is probably vulnerable

Security framework of XStream not initialized, XStream is probably vulnerable

I keep getting this console error in red while using XStream (1.4.10)

I tried the following:

XStream.setupDefaultSecurity(xs);

and

xs.addPermission(AnyTypePermission.ANY); xs.addPermission(NoTypePermission.NONE);

none of which got rid of it.

I do not need any fancy security settings, I just want to silence that warning. Maybe also prepare the code for 1.5.x

Answers


When dealing with security issues, I wouldn't take it lightly. Firstly one would understand the severity of the issue, here a good write up.

Then find out how people recommend the solution. The good place to start is from xstream website itself. There is an example which you can use as a starting point on xstream security page.

This would be my set up which basically allows most of your code.

XStream xstream = new XStream();
// clear out existing permissions and set own ones
xstream.addPermission(NoTypePermission.NONE);
// allow some basics
xstream.addPermission(NullPermission.NULL);
xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
xstream.allowTypeHierarchy(Collection.class);
// allow any type from the same package
xstream.allowTypesByWildcard(new String[] {
    "com.your.package.**"
});

However, after diving more into their source code, this is my take:

XStream.setupDefaultSecurity(this); // to be removed after 1.5
xstream.allowTypesByWildcard(new String[] {
    "com.your.package.**"
});

So essentially, you will need just one line once upgrading to 1.5.

Please note that you may need more wild cards to suit your application deserialization scenarios. This is not a one-size-fit-all answer but rather a good starting point IMHO.


I had the same "problem" and solved it by allowing the relevant types:

Class<?>[] classes = new Class[] { ABC.class, XYZ.class };
XStream xStream = new XStream();
XStream.setupDefaultSecurity(xStream);
xStream.allowTypes(classes);

Maybe this also helps in your case.

Good luck!


It also works by specifying an all-inclusive pattern for allowed classes:

xstream.allowTypesByRegExp(new String[] { ".*" });

Need Your Help

Spray, Akka-http and Play, Which is the best bet for a new HTTP/REST project

scala playframework akka spray akka-http

I'm going to develop new HTTP/REST services using Scala and Akka Actors.

Store selector as value in an NSDictionary

cocoa cocoa-touch nsdictionary selector

Is there a way to store a selector in an NSDictionary, without storing it as an NSString?