javaxmlcheckmarx

Checkmarx scan issue - deserilization of unsanitized xml data from the input


I am currently facing issue during checkmarx scan. It is highlighting that we are deserializing of Untrusted data in the last line mentioned below. How to rectify this issue ?

Scan Issue : Deserialization of Untrusted Data

Note: We do not have any xsd

String message = request.getParameter("param_name"); // Input xml string
XStream parser = new XStream(new StaxDriver());
MyMessage messageObj = (MyMessage) parser.fromXML(message); // This line is flagged by CHECKMARX SCAN 

Solution

  • I will assume that you intended to say that you're getting results for Deserialization of Untrusted Data.

    The reason you're getting that message is that XStream will happily attempt to create an instance of just about any object specified in the XML by default. The technique is to allow only the types you intend to be deserialized. One would presume you've ensured those types are safe.

    I ran this code derived from your example and verified that the two lines I added were detected as sanitization.

    String message = request.getParameter("param_name");
    XStream parser = new XStream(new StaxDriver());
    parser.addPermission(NoTypePermission.NONE);
    parser.allowTypes(new Class[] {MyMessage.class, String.class});
    MyMessage messageObj = (MyMessage) parser.fromXML(message);
    
    

    I added the String.class type since I'd presume some of your properties on MyMessage are String. String itself, like most primitives, is generally safe for deserialization. While the string itself is safe, you'll want to make sure how you use it is safe. (e.g. if you are deserializing a string and passing it to the OS as part of a shell exec, that could be a different vulnerability.)