[Secure Coding] master: Deserialization: Warn about Java's java.beans.XMLDecoder (973d0c6)

Repository : http://git.fedorahosted.org/git/?p=secure-coding.git On branch : master commit 973d0c68891d6943374c06f10bdccf82c12be549 Author: Florian Weimer <fweimer(a)redhat.com&gt; Date: Thu Aug 8 15:13:11 2013 +0200 Deserialization: Warn about Java's java.beans.XMLDecoder defensive-coding/en-US/Tasks/Serialization.xml | 31 ++++++++++++++++++++---- 1 files changed, 26 insertions(+), 5 deletions(-) diff --git a/defensive-coding/en-US/Tasks/Serialization.xml b/defensive-coding/en-US/Tasks/Serialization.xml index 3d4abb1..792ea94 100644 --- a/defensive-coding/en-US/Tasks/Serialization.xml +++ b/defensive-coding/en-US/Tasks/Serialization.xml @@ -70,7 +70,9 @@ Perl's <package>Storable</package> package </para></listitem> <listitem><para> - Java serialization (<type>java.io.ObjectInputStream</type>) + Java serialization (<type>java.io.ObjectInputStream</type>), + even if encoded in other formats (as with + <type>java.beans.XMLDecoder</type>) </para></listitem> <listitem><para> PHP serialization (<function>unserialize</function>) @@ -87,10 +89,13 @@ even when the data members have been manipulated. </para> <para> - JSON decoders do not suffer from this problem. But you must not - use the <function>eval</function> function to parse JSON objects - in Javascript; even with the regular expression filter from RFC - 4627, there are still information leaks remaining. + In general, JSON decoders do not suffer from this problem. But + you must not use the <function>eval</function> function to parse + JSON objects in Javascript; even with the regular expression + filter from RFC 4627, there are still information leaks + remaining. JSON-based formats can still turn out risky if they + serve as an encoding form for any if the serialization + frameworks listed above. </para> </section> @@ -420,6 +425,22 @@ xmlns:xi="http://www.w3.org/2001/XInclude" /> </example> </section> + <section id="sect-Defensive_Coding-Tasks-Serialization-XML-OpenJDK_Parse-Other"> + <title>Other XML parsers in OpenJDK</title> + <para> + OpenJDK contains additional XML parsing and processing + facilities. Some of them are insecure. + </para> + <para> + The class <type>java.beans.XMLDecoder</type> acts as a + bridge between the Java object serialization format and XML. + It is close to impossible to securely deserialize Java + objects in this format from untrusted inputs, so its use is + not recommended, as with the Java object serialization + format itself. See <xref + linkend="sect-Defensive_Coding-Tasks-Serialization-Library"/>. + </para> + </section> </section> </section>