Security framework of XStream not initialized, XStream is probably vulnerable
Asked Answered
O

4

39

Security framework of XStream not initialized, XStream is probably vulnerable

I keep getting this console error in red while using XStream (1.4.10)

I tried the following:

XStream.setupDefaultSecurity(xs);

and

xs.addPermission(AnyTypePermission.ANY); xs.addPermission(NoTypePermission.NONE);

none of which got rid of it.

I do not need any fancy security settings, I just want to silence that warning. Maybe also prepare the code for 1.5.x

Oscan answered 22/6, 2017 at 11:36 Comment(0)
N
43

When dealing with security issues, I wouldn't take it lightly. Firstly one would understand the severity of the issue, here a good write up or another one.

Then find out how people recommend the solution. The good place to start is from xstream website itself. There is an example which you can use as a starting point on xstream security page.

This would be my set up which basically allows most of your code.

XStream xstream = new XStream();
// clear out existing permissions and set own ones
xstream.addPermission(NoTypePermission.NONE);
// allow some basics
xstream.addPermission(NullPermission.NULL);
xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
xstream.allowTypeHierarchy(Collection.class);
// allow any type from the same package
xstream.allowTypesByWildcard(new String[] {
    "com.your.package.**"
});

However, after diving more into their source code, this is my take:

XStream.setupDefaultSecurity(this); // to be removed after 1.5
xstream.allowTypesByWildcard(new String[] {
    "com.your.package.**"
});

So essentially, you will need just one line once upgrading to 1.5.

Please note that you may need more wild cards to suit your application deserialization scenarios. This is not a one-size-fit-all answer but rather a good starting point IMHO.

Nyctophobia answered 17/7, 2017 at 20:9 Comment(1)
First link is brokenSweettempered
H
12

I had the same "problem" and solved it by allowing the relevant types:

Class<?>[] classes = new Class[] { ABC.class, XYZ.class };
XStream xStream = new XStream();
XStream.setupDefaultSecurity(xStream);
xStream.allowTypes(classes);

Maybe this also helps in your case.

Good luck!

Hardheaded answered 2/7, 2017 at 19:36 Comment(2)
Can I also specify a huge superclass?Oscan
@GGrec NO...i tried passing the superclass but it gave me error for child class.Milt
A
1

It also works by specifying an all-inclusive pattern for allowed classes:

xstream.allowTypesByRegExp(new String[] { ".*" });
Awning answered 8/11, 2018 at 12:19 Comment(3)
This is basically disabling the security feature that XStream is trying to make you configure. Don't do that unless you don't careabout your application being secure.Anderson
exactly! this needs to be used with caution!Neoplatonism
also, this needs xstream.addPermission(NoTypePermission.NONE); to be called before to disable the warning.Neoplatonism
D
0

To anyone who comes across this, it's likely due to CVE-2021-21351

XStream has a RCE vulnerability in earlier versions. You should upgrade to 1.46.1 or higher immediately.

Dupre answered 30/3, 2022 at 14:16 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.