All Downloads are FREE. Search and download functionalities are using the official Maven repository.

io.codemodder.codemods.HardenXMLDecoderCodemod.description.md Maven / Gradle / Ivy

The newest version!
This change hardens usage of Java's [`java.beans.XMLDecoder`](https://docs.oracle.com/en/java/javase/17/docs/api/java.desktop/java/beans/XMLDecoder.html) APIs to prevent remote code execution attacks.

The `XMLDecoder` type is meant to serialize Java beans to and from XML. It has a lot of power built into it, so it is not meant for use with untrusted data. If attackers can influence the XML being deserialized, they can execute arbitrary system commands with exploits [like this](https://github.com/mgeeky/Penetration-Testing-Tools/blob/master/web/java-XMLDecoder-RCE.md):

```xml


    
        
            
                /usr/bin/nc
            
            
                -l
            
            
                -p
            
            
                4444
            
            
                -e
            
            
                /bin/bash
            
        
        
        
    

```

Our change wraps all `InputStream` objects passed to `XMLDecoder` constructors with a wrapper that attempts to detect the deserialization of dangerous types (e..g, `java.lang.Runtime` for executing system commands, `java.io.FileOutputStream` for overwriting files, etc.). This is not a complete protection, because attackers could possibly build gadget chains that avoid direct invocation of these particular types to accomplish their goals, but it does raise the bar for exploitation. Here's what a typical change looks like:

```diff
+ import io.github.pixee.security.XMLDecoderSecurity;
  ...
- XMLDecoder decoder = new XMLDecoder(is);
+ XMLDecoder decoder = new XMLDecoder(XMLDecoderSecurity.hardenStream(is), null, null);
  AcmeOrder order = (AcmeOrder)decoder.readObject();
  return order;
```




© 2015 - 2024 Weber Informatics LLC | Privacy Policy