XMLDecoderSecurity (java-security-toolkit 1.2.1 API)

java.lang.Object
- io.github.pixee.security.XMLDecoderSecurity

public final class XMLDecoderSecurity
extends java.lang.Object

This type offers APIs to help secure the usage of XMLDecoder.

Method Summary

All Methods Static Methods Concrete Methods
Modifier and Type	Method	Description
`static java.io.InputStream`	`hardenStream(java.io.InputStream is)`	This method wraps the stream in a circular byte buffer which looks for common exploit types in the inbound XML.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Method Detail
  - hardenStream
```
public static java.io.InputStream hardenStream(java.io.InputStream is)
```
    This method wraps the stream in a circular byte buffer which looks for common exploit types in the inbound XML. This is far from a complete protection. There are an infinite number of ways you could turn arbitrary code execution into meaningful exploitation. However, we provide some best effort signaturing here as it may prevent common attack payloads from being successful.
    There is no substitute for just _not_ using XMLDecoder as it is unsafe -- even more unsafe than Java deserialization. Please consider using a serializer which is less featured on the "transformation" front like Jackson, Gson, etc.
    
    Parameters:
    
    is - the stream which we want to wrap with a token-detecting protect
    
    See Also:
    
    https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html, https://github.com/o2platform/DefCon_RESTing/blob/master/Demos/_O2_Scripts/XmlEncoder%20-%20Restlet/exploits/7a%20-%20Creating%20a%20File.xml