Introducing the Blocklist XStream Adapter: Secure XML Deserialization for Data Center Apps

Jira Development Jira Data Center
, , , , ,
1

Hi Atlassian Developer Community,

We’re excited to announce the availability of the Blocklist XStream adapter—a new framework component designed to help you securely handle XML deserialization in your Jira or Confluence Data Center apps.

What is the Blocklist XStream Adapter?

The Blocklist XStream adapter is a library that enables safe XML deserialization by enforcing a blocklist of potentially dangerous classes. This helps mitigate security risks associated with XML parsing, such as remote code execution vulnerabilities.

Why is this important?

XML deserialization has historically been a source of critical security issues in Java applications. By adopting the XStream adapter, you can:

  • Reduce the risk of deserialization attacks in your app.

  • Align with Atlassian’s security best practices.

  • Prepare for upcoming platform requirements around secure XML handling.

How can you use it?

The adapter is available for integration in both Jira and Confluence Data Center apps. It’s easy to adopt: simply update your XML parsing logic to use the XStream adapter as described in the documentation. The adapter comes with a default blocklist, but you can customize it to suit your app’s needs.

Simple example:

  1. Add the dependency to your Maven project:

    <dependency>
    <groupId>com.atlassian.security.serialblocklist</groupId>
    <artifactId>blocklist-xstream-adapter</artifactId>
    <version>${serialblocklist.version}</version>
    <scope>provided</scope>
</dependency>

  2. Replace your XStream usage:
    Instead of creating a standard XStream instance, use BlocklistRestrictedXStream:

    import com.atlassian.security.serialblocklist.xstream.BlocklistRestrictedXStream;

// Create secure XStream instance
XStream xstream = new BlocklistRestrictedXStream();

// Explicitly allow your application's types
xstream.allowTypes(new Class<?>[] { MyDataClass.class, MyConfigClass.class });

// Safe serialization/deserialization
String xml = xstream.toXML(new MyDataClass());
MyDataClass obj = (MyDataClass) xstream.fromXML(xml);

That’s it! By switching to BlocklistRestrictedXStream, your app will automatically block deserialization of dangerous types, helping to prevent common XML-based security vulnerabilities.

Where can you find documentation?

For more advanced configuration and migration guidance, see the full documentation:
:backhand_index_pointing_right: https://developer.atlassian.com/platform/framework/blocklist-xstream-adapter/

Get involved

We encourage all DC app developers to review the documentation and start integrating the Blocklist XStream adapter.

If you have questions, feedback, or run into issues, please reply to this topic or open a discussion in the community.

Let’s work together to make the Atlassian ecosystem more secure!

2 Likes