stackoom
  简体   繁体   中英

com.thoughtworks.xstream.security.ForbiddenClassException

 原文  2015-06-12 21:16:16       java/ xstream

Question

I came across this exception while updating xstream (1.4.8) lib to the latest version in one of our web applications. The exception was being thrown in a pojo from a dependent jar that was compiled using an older version of xstream (1.3.1). I recompiled and built the new jar (dependent jar) using the xstream-1.4.8 and deployed the war file again, but still get the same exception. Initially I thought this was due to version mismatch, I'm not sure now whats causing this exception and there's not much documentation online. Any thoughts?

Thanks, Karthik

The actual call that throwing the exception:

TestList list = (TestList)xs.fromXML(new StringReader(testData));

where testData is xml string

TestList.java class

@XStreamAlias("Assets")
public class TestList extends ParentObject {

@XStreamImplicit(itemFieldName = "item")
protected List<Item> item= new ArrayList<Item>();

public void add(Item item) {
item.add(item);
}

public List<Item> getItems() {
    if(item== null)
        return new ArrayList<Item>();
    else
        return item;
}

@Override
public String getStringData() {
StringBuilder builder = new StringBuilder();

for (Item item : items) {
    builder.append(item.getStringData());
    builder.append("---------------\n");
}

return builder.toString();
}

@Override
public String getDataType() {
// TODO Auto-generated method stub
return null;
}

Item.java class:

 @XStreamAlias("Item")
public class Item extends ParentItem {
@XStreamAsAttribute
public String access_test;

@XStreamAsAttribute
public int test_num;

@XStreamAsAttribute
public int test_type;

@XStreamAsAttribute
public boolean tst_item;

@XStreamAsAttribute
public int test_test_est;

@XStreamAlias("eset_test")
public List<Integer> eset_test;

And of course I have the getters and setters that I am not including here.

Exception:

com.thoughtworks.xstream.security.ForbiddenClassException: com.test.cp.test123.pojo.TestList
    at com.thoughtworks.xstream.security.NoTypePermission.allows(NoTypePermission.java:26)
    at com.thoughtworks.xstream.mapper.SecurityMapper.realClass(SecurityMapper.java:74)
    at com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:30)
    at com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:30)
    at com.thoughtworks.xstream.mapper.CachingMapper.realClass(CachingMapper.java:47)
    at com.thoughtworks.xstream.core.util.HierarchicalStreams.readClassType(HierarchicalStreams.java:29)
    at com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:133)
    at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)
    at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1206)
    at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1190)
    at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1061)

5 answers

solution1
 2  2016-01-18 18:21:42

http://x-stream.github.io/security.html

Try to limit to the minimum permissions required.

That would remove all limitations (read link above): xstream.addPermission(AnyTypePermission.ANY);

solution2
 2  2017-10-17 16:14:52

I solved my problem using something like:

Class<?>[] classes = new Class[] { TestList.class, Item.class, ... };
XStream xstream = new XStream();
XStream.setupDefaultSecurity(xstream);
xstream.allowTypes(classes);

solution3
 1  2022-12-13 10:43:01

Following @Kokeb answer, I had a spring bean with the following line of codes:

  XStreamMarshaller marshaller = new XStreamMarshaller();
  Map<String, Class<MyMessage>> aliases = new HashMap<>();
  aliases.put("myMessages", MyMessage.class);
  marshaller.setAliases(aliases);

I added:

 marshaller.getXStream().allowTypes(new Class[]{MyMessage.class});

and it solved the issue.

a bit of context, I was using XStream for a project with spring batch, spring integration and ActiveMQ, I set a bean that converts ActiveMQ messages into a message class. the full bean:

    @Bean
    public MessageConverter messageConverter() {
        XStreamMarshaller marshaller = new XStreamMarshaller();
        Map<String, Class< MyMessage >> aliases = new HashMap<>();
        aliases.put("myMessages", MyMessage.class);
        marshaller.setAliases(aliases);
        marshaller.getXStream().allowTypes(new Class[]{MyMessage.class});

        MarshallingMessageConverter messageConverter = new MarshallingMessageConverter(marshaller);
        messageConverter.setTargetType(MessageType.TEXT);
        return messageConverter;
    }

solution4
 0  2021-04-27 17:47:07

Using it as a security framework

You need to configure the security framework in XStream.

It is designed to prevent attacks to your deserialization entry point. If you can state that no unfriendly third party will ever use it, you are safe with the solutions provided so far.

I tend to be in the cautious side of the line. So I just allowed the basics, those that are mine, and some I use.

The basics

As stated in other answers, start by using the default

XStream xstream = new XStream();
XStream.setupDefaultSecurity(xstream);

As stated in the documentation " It initializes an XStream instance with a white list of well-known and simply types of the Java runtime. "

Those that are mine

These I allowed by package:

xstream.allowTypesByWildcard(new String[] { 
        "com.mydomain.mynewapp.**",
        "com.mydomain.utilitylibraries.**
        });

Some I use

For specific classes that I use, they can be allowed to feed your parser on a "by class" fashion.

xstream.allowTypes(new Class[] {
        com.google.common.base.Present.class,
        org.apache.commons.math3.random.GaussianRandomGenerator.class
        });

To get rid of the exception in the question, the OP may choose to add something like:

xstream.allowTypes(new Class[] {com.test.cp.test123.pojo.TestList.class});

Conclusion

XStream allows you to tune the security of the deserialization of your classes as tight as you want it to. It probably is enough with the bare minimum. But it is not enough to not ask you the question: "how tight need I this security to be?" Once you've reflected about the matter, act accordingly.

solution5
 0  2022-10-27 20:48:47

I have a derived class of XStreamMarshaller, where the "XStreamMarshaller. supports " method is overridden. I added getXStream().allowTypes(classes) , see snippet below.

@Override
public boolean supports(Class<?> clazz) {
    Class<?>[] classes = new Class[] {clazz};
    getXStream().processAnnotations(classes);
    getXStream().allowTypes(classes);
    return super. Supports(clazz);
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Caused by: com.thoughtworks.xstream.security.ForbiddenClassException: - Spring Batch XStream - com.thoughtworks.xstream.converters.ConversionException Xtream com.thoughtworks.xstream.mapper.CannotResolveClassException com.thoughtworks.xstream.mapper.CannotResolveClassException com.thoughtworks.xstream.converters.ConversionException com.thoughtworks.xstream.mapper.CannotResolveClassException How to remove com.thoughtworks.xstream_xstream critical Vulnerabilities? package com.thoughtworks.xstream.annotations does not exist Conversion error com.thoughtworks.xstream.converters.ConversionException Getting com.thoughtworks.xstream.mapper.CannotResolveClassException while trying to unmarshal using XStream
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM