From 00d5438963ccf40fd5bb12178a91e79b046c22d2 Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com>
Date: Mon, 9 Dec 2024 03:19:00 +0000
Subject: [PATCH] Hardened XStream with a converter to prevent exploitation
---
pom.xml | 10 ++++++++++
.../VulnerableComponentsLesson.java | 2 ++
.../VulnerableComponentsLessonTest.java | 4 ++++
3 files changed, 16 insertions(+)
diff --git a/pom.xml b/pom.xml
index ba0e17fc7..a824e9abb 100644
--- a/pom.xml
+++ b/pom.xml
@@ -149,6 +149,7 @@
1.4.5
1.8.0
+ 1.0.2
@@ -267,6 +268,11 @@
jruby
9.4.3.0
+
+ io.github.pixee
+ java-security-toolkit-xstream
+ ${versions.java-security-toolkit-xstream}
+
@@ -444,6 +450,10 @@
spring-boot-properties-migrator
runtime
+
+ io.github.pixee
+ java-security-toolkit-xstream
+
diff --git a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java
index ad1a91cc4..cb3062fc0 100644
--- a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java
+++ b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java
@@ -23,6 +23,7 @@
package org.owasp.webgoat.lessons.vulnerablecomponents;
import com.thoughtworks.xstream.XStream;
+import io.github.pixee.security.xstream.HardeningConverter;
import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -39,6 +40,7 @@ public class VulnerableComponentsLesson extends AssignmentEndpoint {
@PostMapping("/VulnerableComponents/attack1")
public @ResponseBody AttackResult completed(@RequestParam String payload) {
XStream xstream = new XStream();
+ xstream.registerConverter(new HardeningConverter());
xstream.setClassLoader(Contact.class.getClassLoader());
xstream.alias("contact", ContactImpl.class);
xstream.ignoreUnknownElements();
diff --git a/src/test/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLessonTest.java b/src/test/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLessonTest.java
index da802d98b..cdd6f2d29 100644
--- a/src/test/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLessonTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLessonTest.java
@@ -22,6 +22,7 @@
package org.owasp.webgoat.lessons.vulnerablecomponents;
+import io.github.pixee.security.xstream.HardeningConverter;
import static org.assertj.core.api.Assertions.assertThat;
import static org.junit.jupiter.api.Assertions.assertThrows;
@@ -49,6 +50,7 @@ public class VulnerableComponentsLessonTest {
@Test
public void testTransformation() throws Exception {
XStream xstream = new XStream();
+ xstream.registerConverter(new HardeningConverter());
xstream.setClassLoader(Contact.class.getClassLoader());
xstream.alias("contact", ContactImpl.class);
xstream.ignoreUnknownElements();
@@ -59,6 +61,7 @@ public void testTransformation() throws Exception {
@Disabled
public void testIllegalTransformation() throws Exception {
XStream xstream = new XStream();
+ xstream.registerConverter(new HardeningConverter());
xstream.setClassLoader(Contact.class.getClassLoader());
xstream.alias("contact", ContactImpl.class);
xstream.ignoreUnknownElements();
@@ -72,6 +75,7 @@ public void testIllegalTransformation() throws Exception {
@Test
public void testIllegalPayload() throws Exception {
XStream xstream = new XStream();
+ xstream.registerConverter(new HardeningConverter());
xstream.setClassLoader(Contact.class.getClassLoader());
xstream.alias("contact", ContactImpl.class);
xstream.ignoreUnknownElements();