Lets say you have a Contact Interface and a ContactImpl class. Contact c = (Contact) xstream.fromXML(xml);
and xml is: <dynamic-proxy> <interface>org.company.model.Contact</interface> <handler class="java.beans.EventHandler"> <target class="java.lang.ProcessBuilder"> <command> <string>calc.exe</string> </command> </target> <action>start</action> </handler> </dynamic-proxy> Then as soon as the code calls any method on the Contact instace, the payload gets executed (eg: contact.getFirstName() ) SpringOXM has a wrapper for XStream (org.springframework.oxm.xstream.XStreamMarshaller) that enables the unmarshalling of objects from XML format. This SpringOXM module is used by SpringMVC when building RESTFul APIs. My concern is that an attacker can sends a malicious crafted XML that results in remote code execution in the case that the server is expecting an object that implements an interface. I would love to be able to disable the DynamicProxyconverter in simple fashion and expose that method to the SpringgOXM wrapper so it can be safely used for RESTFul APIs. Thanks, A Un saludo, Alvaro On Wed, Jul 17, 2013 at 6:49 PM, Jörg Schaible <joerg.schai...@gmx.de>wrote: > Hello Alvaro, > > Alvaro wrote: > > > Hi, > > > > I found that using the DynamicProxyConverter can be a security issue that > > can lead to remote code execution. > > Can you elaborate a bit? > > > I dont know if it is possible to unregister it > > No. > > > as I can see no > > unregisterConverters method in the XStream class > > For an existing XStream instance you can only register other converters > with > same or higher priority that claim to handle the same types. > > As alternative you might provide a ConverterLookup as constructor parameter > that contains already all supported converters and a ConverterRegistry that > actually does nothing. > > Another alternative is to overwrite XStream's setupConverter method. > > > but I would like to use > > XStream SpringOXM wrapper for a RESTFul API, so I would like to > unregister > > it using the SpringOXM wrapper, is it possible? > > Sorry, I am not familiar with SpringOXM at all. Therefore I cannot say how > you configure it to use either different constructor parameters or an > instance of a derived XStream type. > > Cheers, > Jörg > > > --------------------------------------------------------------------- > To unsubscribe from this list, please visit: > > http://xircles.codehaus.org/manage_email > > >