XStream security enhancements

Thierry Boileau edited this page Mar 4, 2014 · 4 revisions

XStream applies various techniques under the hood to ensure it is able to handle all types of objects. This includes using undocumented Java features and reflection. The XML generated by XStream includes all information required to build objects of almost any type. This introduces a potential security problem. The XML provided to XStream for conversion to a Java object can be manipulated to inject objects into the unmarshalled object graph, which were not present at marshalling time. An attacker could exploit this to execute arbitrary code or shell commands in the context of the server running the XStream process. This issue has been addressed and is clearly documented here: XStream Security Framework.

You can configure the Xstream object used by the XStreamRepresentation (cf {@link XStreamRepresentation#createXstream()} or {@link XStreamRepresentation#getXstream()}) and apply security permissions.