Security Aspects
XStream is designed to be an easy to use library. It takes its main task seriously: converting Java objects to XML, and XML to Java objects. As a result, it is possible to create an instance of XStream with the default constructor, call a method to convert an object into XML, then call another method to turn the XML back into an equivalent Java object. By design, there are few limits to the type of objects XStream can handle.
Note: XStream supports other data formats than XML, e.g. JSON. Those formats can be used for the same attacks.
This flexibility comes at a price. XStream applies various techniques under the hood to ensure it is able to handle all types of objects. This includes using undocumented Java features and reflection. The XML generated by XStream includes all information required to build objects of almost any type. This introduces a potential security problem.
The provided XML data is used by XStream to unmarshal Java objects. This data can be manipulated by injecting the XML representation of other objects, that were not present at marshalling time. An attacker could take advantage of this to execute arbitrary code or shell commands in the context of the server running the XStream process. A concrete case is described in CVE-2013-7285.
Note that the XML data can be manipulated on different levels. For example, manipulating values on existing objects (such as a price value), or breaking the format and causing the XML parser to fail. The latter case will raise an exception, but the former case must be handled by validity checks in any application which processes user-supplied XML. A worst case scenario is the injection of arbitrary code or shell commands, as noted above. Even worse, CVE-2017-7957 describes a case to crash the Java Virtual Machine causing a Denial of Service.
External Security
An active Java Security Manager can prevent actions required by XStream components or converters. The same applies to environments such as Google Application Engine. XStream tries to some extent to check the functionality of a converter before it claims to handle a type.
Therefore it is possible that XStream behaves differently in such an environment, because a converter suddenly no longer handles a special type or any type at all. It is essential that an application that will have to run in such an environment is tested at an early stage to prevent nasty surprises.
Implicit Security
As explained above, it is possible to inject other object instances if an attacker is able to define the data used to deserialize the Java objects. E.g. a known exploit can be created with the help of the Java runtime library using the Java Bean EventHandler as described in CVE-2013-7285. This scenario can be used perfectly to replace/inject a dynamic proxy with such an EventHandler at any location in the XML where its parent expects an object of such an interface's type or a simple object instance (any list element will suffice). The usage of a ProcessBuilder as an embedded element, coupled with the redirection of any call to the ProcessBuilder's start() method allows an attacker to call shell commands. Knowing how to define such an attack is the only prerequisite.
More scenarios have been identified for types that are already delivered with the Java runtime. Looking at well-known and commonly used Java libraries libraries such as ASM, CGLIB, or Groovy, the possibility for more exploits is very high.
Therefore creates a black list for special classes only a scenario for a false security, because no-one can assure, that no other scenario arise. A better approach is white listing i.e. the allowed class types are setup explicitly. This will be the default for XStream 1.5.x.
Starting with XStream 1.4.7, an instance of the EventHandler is no longer handled by default. You have to explicitly register a ReflectionConverter for the EventHandler type, if your application has the requirement to persist such an object. Starting with XStream 1.4.10 the list of revoked types is enhanced by all types of the java.crypto package and any inner class named LazyIterator. On top you still have to take special care regarding the location of the persisted data, and how your application can ensure its integrity.
Note: This vulnerability is not even a special problem of XStream. XML being deserialized by XStream acts here like a script, and the scenario above can be created with any script that is executed within a Java runtime (e.g. using its JavaScript interpreter) if someone is able to manipulate it externally. The key message for application developers is that deserializing arbitrary user-supplied content is a dangerous proposition in all cases. The best approach to prevent such an attach is a white list, i.e. the deserialization mechanism should only allow explicit types.
Explicit Security
Starting with XStream 1.4.7, it is possible to define permissions for types, to check the type of an object that should be unmarshalled. Those permissions can be used to allow or deny types explicitly With these permissions it is at least not possible to inject unexpected types into an object graph. The security framework supports the setup of a black or white listing scenario. Any application should use this feature to limit the danger of arbitrary command execution if it deserializes data from an external source.
XStream itself sets up a black list by default, i.e. it blocks all currently known critical classes of the Java runtime. Main reason for the black list is compatibility, because otherwise newer versions of XStream 1.4.x can no longer be used as drop-in replacement. Unfortunately this provides a false sense of security. Every XStream client should therefore switch to a white listing on its own as soon as possible. XStream itself will use white listing as default starting with 1.5.x and only clients that have also changed their setup will be able to use this newer version again as drop-in replacement.
Apart from value manipulations, this implementation still allows the injection of allowed objects at wrong locations, e.g. inserting an integer into a list of strings.
Separate to the XStream security framework, it has always been possible to overwrite the setupConverter method of XStream to register only the required converters.
XML Validation
XML itself supports input validation using a schema and a validating parser. With XStream, you can use e.g. a DOM parser for validation, but it will take some effort to ensure that the XML read and written by XStream matches the schema in first place, because XStream uses additionally own attributes. Typically you will have to write some custom converters, but it can be worth the effort depending on the use case.
Security Framework
Noted above, it might be possible that other combinations are found with the Java runtime itself, or other commonly-used Java libraries that allow a similar vulnerability like the known case using the Java Beans EventHandler. To prevent such a possibility at all, XStream version 1.4.7 and above contains a security framework, allowing application developers to define which types are allowed to be unmarshalled with XStream.
The core interface is TypePermission. The SecurityMapper will evaluate a list of registered instances for every type that will be required while unmarshalling input data. The interface has one simple method:
boolean allow(Class<?>);
The XStream facade provides the following methods to register such type permissions within the SecurityMapper:
XStream.addPermission(TypePermission); XStream.allowTypes(Class[]); XStream.allowTypes(String[]); XStream.allowTypesByRegExp(String[]); XStream.allowTypesByRegExp(Pattern[]); XStream.allowTypesByWildcard(String[]); XStream.allowTypeHierary(Class); XStream.denyPermission(TypePermission); XStream.denyTypes(Class[]); XStream.denyTypes(String[]); XStream.denyTypesByRegExp(String[]); XStream.denyTypesByRegExp(Pattern[]); XStream.denyTypesByWildcard(String[]); XStream.denyTypeHierary(Class);
The sequence of registration is essential. The most recently registered permission will be evaluated first.
Every TypePermission has three options to implement the allow method and make decisions on the provided type:
- if the method returns true, the type is accepted and no other permissions are evaluated
- if the method returns false, the implementation cannot judge over the type and the SecurityMapper will continue with the next permission instance in its registration list
- the method throws a ForbiddenClassException to stop the unmarshalling process
Predefined Permission Types
XStream provides some TypePermission implementations to allow any or no type at all, to allow primitive types and their counterpart, null, array types, implementations match the name of the type by regular or wildcard expression and one to invert a permission.
| Permission | Description | Example | Default |
|---|---|---|---|
| AnyTypePermission | Allow any type. You may use the ANY instance directly. A registration of this permission will wipe any prior one. | yes | |
| ArrayTypePermission | Allow any array type. You may use the ARRAYS instance directly. | no | |
| CGLIBProxyTypePermission | Allow any CGLIB proxy type. You may use the PROXIES instance directly. | no | |
| ExplicitTypePermission | Allow types explicitly by name. | – | |
| InterfaceTypePermission | Allow any interface type. You may use the INTERFACES instance directly. | no | |
| NoPermission | Invert any other permission. Instances of this type are used by XStream in the deny methods. | no | |
| NoTypePermission | Allow no type. You may use the NONE instance directly. A registration of this permission will wipe any prior one. | – | |
| NullPermission | Allow null as type. You may use the NULL instance directly. | no | |
| PrimitiveTypePermission | Allow any primitive type and its boxed counterpart (excluding void). You may use the PRIMITIVES instance directly. | no | |
| ProxyTypePermission | Allow any Java proxy type. You may use the PROXIES instance directly. | no | |
| RegExpTypePermission | Allow any type that matches with its name a regular expression. | .*\\.core\\..* [^$]+ |
– |
| TypeHierarchyPermission | Allow types of a hierarchy. | – | |
| WildcardTypePermission | Allow any type that matches with its name a wildcard expression. | java.lang.* java.util.** |
– |
Example Code White Listing
XStream uses the AnyTypePermission by default, i.e. any type is accepted. You have to clear out this default and register your own permissions to activate the security framework (the Blog type is from the Alias Tutorial):
XStream xstream = new XStream();
// clear out existing permissions and set own ones
xstream.addPermission(NoTypePermission.NONE);
// allow some basics
xstream.addPermission(NullPermission.NULL);
xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
xstream.allowTypeHierarchy(Collection.class);
// allow any type from the same package
xstream.allowTypesByWildcard(new String[] {
Blog.class.getPackage().getName()+".*"
});
You may have a further look at XStream's acceptance tests, the security framework is enabled there in general.