Skip to main content

Marshalling Security

Demarshalling vulnerabilities

One common security vulnerability is the ability to create arbitrary Java object instances through crafted user input.

For example, support for constructing POJOs based on an input attribute defining a fully-qualified class name like {class:'com.foo.MyBean',...}

Fortunately, Juneau does not support an open-ended class attribute.

As a rule, it should not be possible to create arbitrary POJOs by any of the parsers.

The demarshalled object types are inferred via reflection of the class objects passed in through the parser method (e.g. JsonParser.DEFAULT.parse(input, MyBean.class)).

As long as the Class object passed into this method is not constructed from user-generated input, it should be free from demarshalling vulnerabilities.

The following example shows a potential vector that circumvents the restriction above:

// Don't do this!
Class c = Class.forName(someUserInputString);
JsonParser.DEFAULT.parse(input, c);  // Oops!  Security hole!

Juneau does support something similar to a class attribute that allows you to define the POJO type at runtime. This is the type attribute. The difference is that it's not possible to specify fully-qualified class names in type attributes, and instead can only specify type keys defined through bean dictionaries. Instead of serializing the fully-qualified class names in the output, we instead serialize type names that represent those POJO types. i.e. instead of class='com.foo.MyBean', we instead serialize type='MyBeanIdentifier'. Since bean types are defined at compile time, it's impossible to instantiate arbitrary POJOs. POJO types of generalized input are also inferred through swaps. Again, since the POJO types are hardcoded at compile time, these should not be subject to demarshalling vulnerabilities. However, it is possible to circumvent this through your swap implementation as shown below:

// Don't do this!
public class MyInsecureSwap extends ObjectSwap {
    public Object swap(BeanSession session, JsonMap input) throws Exception {
        // Security hole!
        return Class.forName(input.getString("class")).newInstance();
    }
}

All other parsers (JSON, URL-Encoding, MessagePack, etc...) work the same way in determining POJO types, so should be safe from demarshalling vulnerabilities.

Dependent libraries

When accessing security vulnerabilities of any library, dependent libraries must also be taken into account:

  • The JSON, HTML, MsgPack, URL-Encoding, and UON parsers are written from scratch and do not rely on

any other parsing technologies.

  • The XML and HTML parsers uses the built-in Java StAX parser.

This should be free from vulnerabilities.

  • The RDF parsers rely on Apache Jena 2.7.1.

As of 7.0.1, no known security vulnerabilities exist that affect Juneau at this time.