Annotation Interface XstreamSafeObjectField
Object-typed field as safe to populate during XStream deserialization.
By default, RobustReflectionConverter refuses to deserialize into
fields whose static type is Object. The risk is not that XStream's type filter
would admit something obviously dangerous, but that an Object field is an open
sink for any deserialized value that, once placed in the field, can reach Stapler
request routing (via getDynamic, doXxx, getXxx, etc.) and
act on behalf of the submitting user. Unlike classic Java deserialization gadgets, the
payload here is not a chain of readObject side effects but an ordinary,
JEP 200-approved object whose only role is to be reachable by Stapler after the fact.
SECURITY-3707 demonstrated this with InternalResourceRequest and PluginWrapper;
the set of types exposing such request-handling behavior is open-ended.
Apply this annotation only if you are confident in at least one of the following:
- Users cannot control what is written to the field — for instance, the
containing class is never populated from
config.xmlsubmissions or similar attacker-controlled input. - Values written to the field never reach Stapler dispatch — directly or via a routable enclosing object.
A more specific static type is always preferable to this annotation: narrowing the
field's type moves the check from a human claim to the compiler. Use this annotation
only when Object is genuinely required. Adding it is a security assertion
equivalent to extending a deserialization allowlist; a mistake reopens the
SECURITY-3707 attack surface.
For compatibility with plugins targeting older cores, the converter matches this
annotation by simple name. A plugin may declare its own @XstreamSafeObjectField
in any package; the contract above applies regardless. This is expected to be temporary,
plugins should switch to depend on an LTS release of Jenkins declaring this annotation
as soon as is feasible.
- Since:
- TODO
- See Also: