XMLDecoder usage

Bug Pattern: XML_DECODER

XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. This is possible because XMLDecoder supports arbitrary method invocation. This capability is intended to call setter methods, but in practice, any method can be called.

Malicious XML example:

  1. <?xml version="1.0" encoding="UTF-8" ?>
  2. <java version="1.4.0" class="java.beans.XMLDecoder">
  3.   <object class="java.io.PrintWriter">
  4.     <string>/tmp/Hacked.txt</string>
  5.     <void method="println">
  6.       <string>Hello World!</string>
  7.     </void>
  8.     <void method="close"/>
  9.   </object>
  10. </java>

The XML code above will cause the creation of a file with the content “Hello World!”.

Vulnerable Code:

  1. XMLDecoder d = new XMLDecoder(in);
  2. try {
  3.     Object result = d.readObject();
  4. }
  5. [...]

Solution:
The solution is to avoid using XMLDecoder to parse content from an untrusted source.

References
Dinis Cruz Blog: Using XMLDecoder to execute server-side Java Code on an Restlet application
RedHat blog : Java deserialization flaws: Part 2, XML deserialization
CWE-20: Improper Input Validation