Lets say you have a Contact Interface and a ContactImpl class.

Contact c = (Contact) xstream.fromXML(xml);

and xml is:

      <handler class="java.beans.EventHandler">
          <target class="java.lang.ProcessBuilder">

Then as soon as the code calls any method on the Contact instace, the
payload gets executed (eg: contact.getFirstName() )

SpringOXM has a wrapper for XStream
(org.springframework.oxm.xstream.XStreamMarshaller) that enables the
unmarshalling of objects from XML format.
This SpringOXM module is used by SpringMVC when building RESTFul APIs.
My concern is that an attacker can sends a malicious crafted XML that
results in remote code execution in the case that the server is expecting
an object that implements an interface.

I would love to be able to disable the DynamicProxyconverter in simple
fashion and expose that method to the SpringgOXM wrapper so it can be
safely used for RESTFul APIs.


Un saludo,


On Wed, Jul 17, 2013 at 6:49 PM, Jörg Schaible <joerg.schai...@gmx.de>wrote:

> Hello Alvaro,
> Alvaro wrote:
> > Hi,
> >
> > I found that using the DynamicProxyConverter can be a security issue that
> > can lead to remote code execution.
> Can you elaborate a bit?
> > I dont know if it is possible to unregister it
> No.
> > as I can see no
> > unregisterConverters method in the XStream class
> For an existing XStream instance you can only register other converters
> with
> same or higher priority that claim to handle the same types.
> As alternative you might provide a ConverterLookup as constructor parameter
> that contains already all supported converters and a ConverterRegistry that
> actually does nothing.
> Another alternative is to overwrite XStream's setupConverter method.
> > but I would like to use
> > XStream SpringOXM wrapper for a RESTFul API, so I would like to
> unregister
> > it using the SpringOXM wrapper, is it possible?
> Sorry, I am not familiar with SpringOXM at all. Therefore I cannot say how
> you configure it to use either different constructor parameters or an
> instance of a derived XStream type.
> Cheers,
> Jörg
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>     http://xircles.codehaus.org/manage_email

Reply via email to