Fix #1599 for 2.7(.10)

FasterXML · Apr 13, 2017 · 6ce32ff · 6ce32ff · simith003 · Apr 17, 2017
1 parent 28ec8a4
commit 6ce32ff
Show file tree

Hide file tree

Showing 3 changed files with 65 additions and 0 deletions.
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -6,6 +6,8 @@ Project: jackson-databind
 
 2.7.10 (not yet released)
 
+#1599: Jackson Deserializer security vulnerability
+ (reported by ayound@github)
 - Minor robustification of method resolution in `AnnotatedClass`
 
 2.7.9 (04-Feb-2017)

diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
@@ -139,6 +139,8 @@ public JsonDeserializer<Object> createBeanDeserializer(DeserializationContext ct
         if (!isPotentialBeanType(type.getRawClass())) {
             return null;
         }
+        // For checks like [databind#1599]
+        checkIllegalTypes(ctxt, type, beanDesc);
         // Use generic bean introspection to build deserializer
         return buildBeanDeserializer(ctxt, type, beanDesc);
     }
@@ -834,4 +836,25 @@ protected boolean isIgnorableType(DeserializationConfig config, BeanDescription
         // We default to 'false', i.e. not ignorable
         return (status == null) ? false : status.booleanValue(); 
     }
+
+    /**
+     * @since 2.8.9
+     */
+    protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
+            BeanDescription beanDesc)
+        throws JsonMappingException
+    {
+        // There are certain nasty classes that could cause problems, mostly
+        // via default typing -- catch them here.
+        Class<?> raw = type.getRawClass();
+        String name = raw.getSimpleName();
+
+        if ("TemplatesImpl".equals(name)) { // [databind#1599] 
+            if (raw.getName().startsWith("com.sun.org.apache.xalan")) {
+                throw JsonMappingException.from(ctxt,
+                        String.format("Illegal type (%s) to deserialize: prevented for security reasons",
+                                name));
+            }
+        }
+    }
 }
diff --git a/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java b/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
@@ -0,0 +1,40 @@
+package com.fasterxml.jackson.databind.interop;
+
+import com.fasterxml.jackson.databind.*;
+
+/**
+ * Test case(s) to guard against handling of types that are illegal to handle
+ * due to security constraints.
+ */
+public class IllegalTypesCheckTest extends BaseMapTest
+{
+    static class Bean1599 {
+        public int id;
+        public Object obj;
+    }
+
+    public void testIssue1599() throws Exception
+    {
+        final String JSON = aposToQuotes(
+ "{'id': 124,\n"
++" 'obj':[ 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl',\n"
++"  {\n"
++"    'transletBytecodes' : [ 'AAIAZQ==' ],\n"
++"    'transletName' : 'a.b',\n"
++"    'outputProperties' : { }\n"
++"  }\n"
++" ]\n"
++"}"
+        );
+        ObjectMapper mapper = new ObjectMapper();
+        mapper.enableDefaultTyping();
+        try {
+            mapper.readValue(JSON, Bean1599.class);
+            fail("Should not pass");
+        } catch (JsonMappingException e) {
+            verifyException(e, "Illegal type");
+            verifyException(e, "to deserialize");
+            verifyException(e, "prevented for security reasons");
+        }
+    }
+}