Skip to content

Commit 6ce32ff

Browse files
committed
Fix #1599 for 2.7(.10)
1 parent 28ec8a4 commit 6ce32ff

File tree

3 files changed

+65
-0
lines changed

3 files changed

+65
-0
lines changed

release-notes/VERSION

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,8 @@ Project: jackson-databind
66

77
2.7.10 (not yet released)
88

9+
#1599: Jackson Deserializer security vulnerability
10+
(reported by ayound@github)
911
- Minor robustification of method resolution in `AnnotatedClass`
1012

1113
2.7.9 (04-Feb-2017)

src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -139,6 +139,8 @@ public JsonDeserializer<Object> createBeanDeserializer(DeserializationContext ct
139139
if (!isPotentialBeanType(type.getRawClass())) {
140140
return null;
141141
}
142+
// For checks like [databind#1599]
143+
checkIllegalTypes(ctxt, type, beanDesc);
142144
// Use generic bean introspection to build deserializer
143145
return buildBeanDeserializer(ctxt, type, beanDesc);
144146
}
@@ -834,4 +836,25 @@ protected boolean isIgnorableType(DeserializationConfig config, BeanDescription
834836
// We default to 'false', i.e. not ignorable
835837
return (status == null) ? false : status.booleanValue();
836838
}
839+
840+
/**
841+
* @since 2.8.9
842+
*/
843+
protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
844+
BeanDescription beanDesc)
845+
throws JsonMappingException
846+
{
847+
// There are certain nasty classes that could cause problems, mostly
848+
// via default typing -- catch them here.
849+
Class<?> raw = type.getRawClass();
850+
String name = raw.getSimpleName();
851+
852+
if ("TemplatesImpl".equals(name)) { // [databind#1599]
853+
if (raw.getName().startsWith("com.sun.org.apache.xalan")) {
854+
throw JsonMappingException.from(ctxt,
855+
String.format("Illegal type (%s) to deserialize: prevented for security reasons",
856+
name));
857+
}
858+
}
859+
}
837860
}
Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
package com.fasterxml.jackson.databind.interop;
2+
3+
import com.fasterxml.jackson.databind.*;
4+
5+
/**
6+
* Test case(s) to guard against handling of types that are illegal to handle
7+
* due to security constraints.
8+
*/
9+
public class IllegalTypesCheckTest extends BaseMapTest
10+
{
11+
static class Bean1599 {
12+
public int id;
13+
public Object obj;
14+
}
15+
16+
public void testIssue1599() throws Exception
17+
{
18+
final String JSON = aposToQuotes(
19+
"{'id': 124,\n"
20+
+" 'obj':[ 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl',\n"
21+
+" {\n"
22+
+" 'transletBytecodes' : [ 'AAIAZQ==' ],\n"
23+
+" 'transletName' : 'a.b',\n"
24+
+" 'outputProperties' : { }\n"
25+
+" }\n"
26+
+" ]\n"
27+
+"}"
28+
);
29+
ObjectMapper mapper = new ObjectMapper();
30+
mapper.enableDefaultTyping();
31+
try {
32+
mapper.readValue(JSON, Bean1599.class);
33+
fail("Should not pass");
34+
} catch (JsonMappingException e) {
35+
verifyException(e, "Illegal type");
36+
verifyException(e, "to deserialize");
37+
verifyException(e, "prevented for security reasons");
38+
}
39+
}
40+
}

0 commit comments

Comments
 (0)