Fix #2032

cowtowncoder · cowtowncoder · commit 27b4defc2704 · 2018-05-10T18:18:32.000-07:00
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -4,6 +4,10 @@ Project: jackson-databind
 === Releases ===
 ------------------------------------------------------------------------
 
+2.7.9.4 (not yet released)
+
+#2032: Blacklist another serialization gadget (ibatis)
+
 2.7.9.3 (11-Feb-2018)
 
 #1872 `NullPointerException` in `SubTypeValidator.validateSubType` when
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -54,6 +54,8 @@ public class SubTypeValidator
         // [databind#1855]: more 3rd party
         s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
         s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
+        // [databind#2032]: more 3rd party; data exfiltration via xml parsed ext entities
+        s.add("org.apache.ibatis.parsing.XPathParser");
 
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }

Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,8 @@ public class SubTypeValidator`
`54`	`54`	`// [databind#1855]: more 3rd party`
`55`	`55`	`s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");`
`56`	`56`	`s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");`
	`57`	`+ // [databind#2032]: more 3rd party; data exfiltration via xml parsed ext entities`
	`58`	`+ s.add("org.apache.ibatis.parsing.XPathParser");`
`57`	`59`
`58`	`60`	`DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);`
`59`	`61`	`}`