Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
7.0.0
-
None
Description
Create documentation on security-related topics such as shown here:
http://x-stream.github.io/security.html#validation
Here's some initial "stuff":
As a rule though, it is impossible to create arbitrary POJOs through manipulation of the input. i.e. there is no "_class" attribute where you can pass in arbitrary class names.
When you parse input, you have to specify the POJO class you want constructed (e.g. parser.parse(input, MyBean.class)). So only classes that exist within that POJO "tree" will be instantiated.
We do have the concept of type dictionaries where "_type" attributes are added to the output to identify classes. It's similar to "_class", but you must explicitly specify the type name mappings programmatically on the parser instance (e.g. 'MyBean' -> com.foo.MyBean.class) or via annotations defined on interface or abstract classes.
For example, if we added the following annotation to our bean class....
@Bean(typeName='MyBean')
public class MyBean
...then it would get serialized like so....
{ _type:'MyBean', myField:123 }...and would be parsed back into the original bean type like so...
// Create a parser aware of the MyBean class.
Parser parser = JsonParser.create().beanDictionary(MyBean.class).build();
// Parse our input above to create a MyBean instance even though we're asking for a general Object.
MyBean myBean = (MyBean)parser.parse(input, Object.class);
We DO have JsoSerializer and JsoParser classes that use Java-Serialized-Object serialization, and these are subject to injection attacks, but we make clear in the javadocs that you must be very careful if you want to use them. We exclude them from the list of default serializers and parsers on the REST classes.