One common security vulnerability is the ability to create arbitrary Java object instances through crafted
user input. For example, support for constructing POJOs based on an input attribute defining a
fully-qualified class name like "{class:'com.foo.MyBean',...}"
Fortunately, Juneau does not support an open-ended "class attribute.
As a rule, it should not be possible to create arbitrary POJOs by any of the parsers.
The demarshalled object types are inferred via reflection of the class objects passed in through the parser
method (e.g. JsonParser.DEFAULT.parse(input, MyBean.class)).
As long as the Class object passed into this method is not constructed from user-generated input,
it should be free from demarshalling vulnerabilities.
The following example shows a potential vector that circumvents the restriction above:
| // Don't do this!
| Class c = Class.forName(someUserInputString);
| JsonParser.DEFAULT.parse(input, c); // Oops! Security hole!
Juneau does support something similar to a "class" attribute that allows you to define the
POJO type at runtime.
This is the "type" attribute.
The difference is that it's not possible to specify fully-qualified class names in "type" attributes,
and instead can only specify type keys defined through bean dictionaries.
Instead of serializing the fully-qualified class names in the output, we instead serialize type
names that represent those POJO types.
i.e. instead of "class='com.foo.MyBean'", we instead serialize "type='MyBeanIdentifier'".
Since bean types are defined at compile time, it's impossible to instantiate arbitrary POJOs.
POJO types of generalized input are also inferred through swaps.
Again, since the POJO types are hardcoded at compile time, these should not be subject to demarshalling
vulnerabilities. However, it is possible to circumvent this through your swap implementation as shown
below:
| // Don't do this!
| public class MyInsecureSwap extends ObjectSwap<JsonMap,Object> {
| public Object swap(BeanSession session, JsonMap input) throws Exception {
| // Security hole!
| return Class.forName(input.getString("class")).newInstance();
| }
| }
All other parsers (JSON, URL-Encoding, MessagePack, etc...) work the same way in determining POJO types, so
should be safe from demarshalling vulnerabilities.