springspring-bootspring-batchxstreamspring-oxm

Vulnerability warning with XStreamMarshaller

When using a XStreamMarshaller with spring batch, I get the following message:

Security framework of XStream not initialized, XStream is probably vulnerable.

First try: According to the documentation, I've tried to reset all permissions, but I still have the same message. Besides, I have no security error when parsing XML files... So I think that this code just doen't work. Here's a sample of code:

XStreamMarshaller marshaller = new XStreamMarshaller();
marshaller.getXStream().addPermission(NoTypePermission.NONE);

Second try: I have also tried with the setSupportedClasses method, but it doesn't work either (I still get the vulnerability message and not supported classes are still unmarshelled correctly):

XStreamMarshaller marshaller = new XStreamMarshaller();
marshaller.setSupportedClasses(FooBar.class);

How can I set security permissions with XStreamMarshaller?

Note: according to this thread, the Security Framework was introduced with 1.4.7 and it is still not mandatory.... But it will be mandatory for XStream 1.5.0!

Version of XStream used: 1.4.10

Version of Spring Batch used: 4.0.1

For information, I'm using Spring Boot (but I'm not sure it's relevant here)

Solution

  • Solution for the 'First Try':

    The reason why it didn't work is that XStreamMarshaller instantiates a xstream object with afterPropertiesSet without checking if one have already been created, so we can't use getXStream() in a @Bean method. To make this work, we can for example set security config while injecting the marshaller in another bean:

    @Configuration
public class JobSecurityConfig {

    public JobSecurityConfig(XStreamMarshaller marshaller) {
        XStream xstream = marshaller.getXStream();
        XStream.setupDefaultSecurity(xstream);
        xstream.allowTypes(new Class[]{Bar.class});
    }

}

    Another solution: extend XSreamMarshaller

    You can also extend XStreamMarshaller and override only the customizeXStream() method to set security configuration.

        @Override
    protected void customizeXStream(XStream xstream) {
        XStream.setupDefaultSecurity(xstream);
        xstream.allowTypes(new Class[]{Bar.class});
    }

    Why the 'Second Try' doesn't work:

    setSupportedClasses is only used on marshalling!!.. StaxEventItemReader doesn't care about supported classes!