Skip to main content

Insecure Processing of Data

This category covers the following issues:

Insecure Deserialization

Why is this important?

Serialization is the process of translating data structures storable formats. In Java, objects can be serialized into strings and vice-versa, strings can be deserialized into objects. This functionality can be accessed with methods related to YAML, JSON, CSV, and Marshalling. Insecure deserialization describes the processing of malicious data which in term allows hackers to execute arbitrary code in the context of your application. These issues are common and have been the cause of many high-profile breaches.

Fixing Insecure Deserialization

Option A: Don't parse untrusted data with XMLDecoder

XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. This is possible because XMLDecoder supports arbitrary method invocation. This capability is intended to call setter methods, but in practice, any method can be called.

Detailed Instructions
  1. Go through the issues that GuardRails identified in the PR.

  2. Look for code that passes untrusted data to XMLDecoder.

    XMLDecoder d = new XMLDecoder(in);
    try {
    Object result = d.readObject();
    }
    [...]
  3. Follow the steps detailed here: Using XMLDecoder to execute server-side Java Code on a Restlet application

  4. Test it

  5. Ship it 🚢 and relax 🌴

Option B: Avoid deserializing untrusted objects with ObjectInputStream

Object deserialization of untrusted data can lead to remote code execution, if there is a class in classpath that allows the trigger of malicious operation.

Libraries developers tend to fix class that provided potential malicious trigger. There are still classes that are known to trigger Denial of Service.

Deserialization is a sensible operation that has a great history of vulnerabilities. The web application might become vulnerable as soon as a new vulnerability is found in the Java Virtual Machine.

Detailed Instructions
  1. Go through the issues that GuardRails identified in the PR.

  2. Look for code that passes untrusted data to ObjectInputStream.

    public UserData deserializeObject(InputStream receivedFile) throws IOException, ClassNotFoundException {
    try (ObjectInputStream in = new ObjectInputStream(receivedFile)) {
    return (UserData) in.readObject();
    }
    }
  3. Follow the steps detailed here: Deserialization of untrusted data

  4. Test it

  5. Ship it 🚢 and relax 🌴

Option C: Avoid deserializing untrusted objects with Jackson

When the Jackson databind library is used incorrectly the deserialization of untrusted data can lead to remote code execution, if there is a class in classpath that allows the trigger of malicious operation.

Detailed Instructions
  1. Go through the issues that GuardRails identified in the PR.

  2. Look for code like this:

    public class Example {
    static class ABean {
    public int id;
    public Object obj;
    }
    static class AnotherBean {
    @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) // or JsonTypeInfo.Id.MINIMAL_CLASS
    public Object obj;
    }
    public void example(String json) throws JsonMappingException {
    ObjectMapper mapper = new ObjectMapper();
    mapper.enableDefaultTyping();
    mapper.readValue(json, ABean.class);
    }
    public void exampleTwo(String json) throws JsonMappingException {
    ObjectMapper mapper = new ObjectMapper();
    mapper.readValue(json, AnotherBean.class);
    }
    }
  3. Explicitly define what types and subtypes you want to be available when using polymorphism through JsonTypeInfo.Id.NAME.

  4. Test it

  5. Ship it 🚢 and relax 🌴

More information

Insecure XML Processing

Why is this important?

XML is a powerful protocol, that if abused by attackers, can lead to a range of issues, such as:

  • Access to sensitive data
  • Denial of Service
  • Attacks against the internal network

Fixing XML Processing Issues

Option A: Prevent XML External Entity Attacks

XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source.

Detailed Instructions
  1. Go through the issues that GuardRails identified in the PR.

  2. Look for code like this:

    public void parseXML(InputStream input) throws XMLStreamException {
    XMLInputFactory factory = XMLInputFactory.newFactory();
    XMLStreamReader reader = factory.createXMLStreamReader(input);
    [...]
    }

    or:

    $XMLFACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", true);
  3. And replace it with this:

    public void parseXML(InputStream input) throws XMLStreamException {
    XMLInputFactory factory = XMLInputFactory.newFactory();
    factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
    XMLStreamReader reader = factory.createXMLStreamReader(input);
    [...]
    }

    or this:

    public void parseXML(InputStream input) throws XMLStreamException {
    XMLInputFactory factory = XMLInputFactory.newFactory();
    factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
    XMLStreamReader reader = factory.createXMLStreamReader(input);
    [...]
    }
  4. Test it

  5. Ship it 🚢 and relax 🌴

More information