Security framework of XStream not initialized, XStream is probably vulnerable

Question

Security framework of XStream not initialized, XStream is probably vulnerable

I keep getting this console error in red while using XStream (1.4.10)

Answer 1

When dealing with security issues, I wouldn't take it lightly. Firstly one would understand the severity of the issue, here a good write up or another one.

Then find out how people recommend the solution. The good place to start is from xstream website itself. There is an example which you can use as a starting point on xstream security page.

This would be my set up which basically allows most of your code.

XStream xstream = new XStream();
// clear out existing permissions and set own ones
xstream.addPermission(NoTypePermission.NONE);
// allow some basics
xstream.addPermission(NullPermission.NULL);
xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
xstream.allowTypeHierarchy(Collection.class);
// allow any type from the same package
xstream.allowTypesByWildcard(new String[] {
    "com.your.package.**"
});

However, after diving more into their source code, this is my take:

XStream.setupDefaultSecurity(this); // to be removed after 1.5
xstream.allowTypesByWildcard(new String[] {
    "com.your.package.**"
});

So essentially, you will need just one line once upgrading to 1.5.

Please note that you may need more wild cards to suit your application deserialization scenarios. This is not a one-size-fit-all answer but rather a good starting point IMHO.

Answer 2

I had the same "problem" and solved it by allowing the relevant types:

Class<?>[] classes = new Class[] { ABC.class, XYZ.class };
XStream xStream = new XStream();
XStream.setupDefaultSecurity(xStream);
xStream.allowTypes(classes);

Maybe this also helps in your case.

Good luck!

Answer 3

It also works by specifying an all-inclusive pattern for allowed classes:

xstream.allowTypesByRegExp(new String[] { ".*" });