{title:'juneau-marshall', created:'8.2.0'}
Demarshalling vulnerabilities

One common security vulnerability is the ability to create arbitrary Java object instances through crafted user input. For example, support for constructing POJOs based on an input attribute defining a fully-qualified class name like "{class:'com.foo.MyBean',...}"

Fortunately, Juneau does not support an open-ended "class attribute. As a rule, it should not be possible to create arbitrary POJOs by any of the parsers. The demarshalled object types are inferred via reflection of the class objects passed in through the parser method (e.g. JsonParser.DEFAULT.parse(input, MyBean.class)). As long as the Class object passed into this method is not constructed from user-generated input, it should be free from demarshalling vulnerabilities.

The following example shows a potential vector that circumvents the restriction above:

| // Don't do this! | Class c = Class.forName(someUserInputString); | JsonParser.DEFAULT.parse(input, c); // Oops! Security hole!

Juneau does support something similar to a "class" attribute that allows you to define the POJO type at runtime. This is the "type" attribute. The difference is that it's not possible to specify fully-qualified class names in "type" attributes, and instead can only specify type keys defined through bean dictionaries. Instead of serializing the fully-qualified class names in the output, we instead serialize type names that represent those POJO types. i.e. instead of "class='com.foo.MyBean'", we instead serialize "type='MyBeanIdentifier'". Since bean types are defined at compile time, it's impossible to instantiate arbitrary POJOs.

POJO types of generalized input are also inferred through swaps. Again, since the POJO types are hardcoded at compile time, these should not be subject to demarshalling vulnerabilities. However, it is possible to circumvent this through your swap implementation as shown below:

| // Don't do this! | public class MyInsecureSwap extends ObjectSwap<JsonMap,Object> { | public Object swap(BeanSession session, JsonMap input) throws Exception { | // Security hole! | return Class.forName(input.getString("class")).newInstance(); | } | }

All other parsers (JSON, URL-Encoding, MessagePack, etc...) work the same way in determining POJO types, so should be safe from demarshalling vulnerabilities.

Dependent libraries

When accessing security vulnerabilities of any library, dependent libraries must also be taken into account: