Re: [xstream-user] Re: Is it possible to unregister the DynamicProxyConverter using the SpringOXM wrapper

Wed, 17 Jul 2013 10:24:13 -0700 

Lets say you have a Contact Interface and a ContactImpl class.

Contact c = (Contact) xstream.fromXML(xml);

and xml is:

      <dynamic-proxy>
      <interface>org.company.model.Contact</interface>
      <handler class="java.beans.EventHandler">
          <target class="java.lang.ProcessBuilder">
              <command>
                   <string>calc.exe</string>
              </command>
          </target>
          <action>start</action>
      </handler>
      </dynamic-proxy>

Then as soon as the code calls any method on the Contact instace, the
payload gets executed (eg: contact.getFirstName() )


SpringOXM has a wrapper for XStream
(org.springframework.oxm.xstream.XStreamMarshaller) that enables the
unmarshalling of objects from XML format.
This SpringOXM module is used by SpringMVC when building RESTFul APIs.
My concern is that an attacker can sends a malicious crafted XML that
results in remote code execution in the case that the server is expecting
an object that implements an interface.

I would love to be able to disable the DynamicProxyconverter in simple
fashion and expose that method to the SpringgOXM wrapper so it can be
safely used for RESTFul APIs.

Thanks,
A

Un saludo,

Alvaro


On Wed, Jul 17, 2013 at 6:49 PM, Jörg Schaible <joerg.schai...@gmx.de>wrote:

> Hello Alvaro,
>
> Alvaro wrote:
>
> > Hi,
> >
> > I found that using the DynamicProxyConverter can be a security issue that
> > can lead to remote code execution.
>
> Can you elaborate a bit?
>
> > I dont know if it is possible to unregister it
>
> No.
>
> > as I can see no
> > unregisterConverters method in the XStream class
>
> For an existing XStream instance you can only register other converters
> with
> same or higher priority that claim to handle the same types.
>
> As alternative you might provide a ConverterLookup as constructor parameter
> that contains already all supported converters and a ConverterRegistry that
> actually does nothing.
>
> Another alternative is to overwrite XStream's setupConverter method.
>
> > but I would like to use
> > XStream SpringOXM wrapper for a RESTFul API, so I would like to
> unregister
> > it using the SpringOXM wrapper, is it possible?
>
> Sorry, I am not familiar with SpringOXM at all. Therefore I cannot say how
> you configure it to use either different constructor parameters or an
> instance of a derived XStream type.
>
> Cheers,
> Jörg
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>     http://xircles.codehaus.org/manage_email
>
>
>

Reply via email to