juneau-marshall
Demarshalling vulnerabilities

One common security vulnerability is the ability to create arbitrary Java object instances through crafted user input. For example, support for constructing POJOs based on an input attribute defining a fully-qualified class name like "{class:'com.foo.MyBean',...}"

Fortunately, Juneau does not support an open-ended "class attribute. As a rule, it should not be possible to create arbitrary POJOs by any of the parsers. The demarshalled object types are inferred via reflection of the class objects passed in through the parser method (e.g. JsonParser.DEFAULT.parse(input, MyBean.class)). As long as the Class object passed into this method is not constructed from user-generated input, it should be free from demarshalling vulnerabilities.

The following example shows a potential vector that circumvents the restriction above:

// Don't do this! Class c = Class.forName(someUserInputString); JsonParser.DEFAULT.parse(input, c); // Oops! Security hole!

Juneau does support something similar to a "class" attribute that allows you to define the POJO type at runtime. This is the "type" attribute. The difference is that it's not possible to specify fully-qualified class names in "type" attributes, and instead can only specify type keys defined through bean dictionaries. Instead of serializing the fully-qualified class names in the output, we instead serialize type names that represent those POJO types. i.e. instead of "class='com.foo.MyBean'", we instead serialize "type='MyBeanIdentifier'". Since bean types are defined at compile time, it's impossible to instantiate arbitrary POJOs.

POJO types of generalized input are also inferred through swaps. Again, since the POJO types are hardcoded at compile time, these should not be subject to demarshalling vulnerabilities. However, it is possible to circumvent this through your swap implementation as shown below:

// Don't do this! public class MyInsecureSwap extends PojoSwap<OMap,Object> { public Object swap(BeanSession session, OMap input) throws Exception { // Security hole! return Class.forName(input.getString("class")).newInstance(); } }

Note that the {@link oaj.jso.JsoParser}, a thin layer of the Juneau Parser API written on top of plain-old Java Object Serialization which itself is vulnerable to demarshalling issues. Due to this, the JSO parser is not included in any of the default REST servlet implementations. Be especially careful when using this parser, particularly if you want to use it for handing application/x-java-serialized-object input through REST servlets.

All other parsers (JSON, URL-Encoding, MessagePack, etc...) work the same way in determining POJO types, so should be safe from demarshalling vulnerabilities.

Dependent libraries

When accessing security vulnerabilities of any library, dependent libraries must also be taken into account: