search

codingchili / chili-core

Reactive framework for creating transport & storage-transparent microservices with Vert.x
https://codingchili.github.io/chili-core/
MIT License
14 stars 5 forks source link

configure default PolymorphicTypeValidator in jackson 11 #281

Closed codingchili closed 2 years ago

codingchili commented 2 years ago

This is an extra security precaution to block deserialization of classes that specify weakly typed or known vulnerable types.

This will guard against cases where the @JsonTypeInfo annotation is used with JsonTypeInfo.Id.CLASS or when polymorphic types are enabled by an user on the default mapper, used by vert.x, internally and through the Serializer utility. (polymorphic deserialization is disabled by default and not recommended to be enabled.)

Use of Object.class is still allowed without the annotation and without enabling polymorphic types, in this case jackson chooses the implementation class (map, list or basic type) - this is not a security vulnerability and this behavior has not been changed.

See https://github.com/FasterXML/jackson-databind/issues/2587 for list of classes that are blocked.

codingchili commented 2 years ago

Fixed in 4a4ddb005db5b2015300c194ee2c85c107166af8