From 6ce32ffd18facac6abdbbf559c817b47fcb622c1 Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Thu, 13 Apr 2017 15:08:10 -0700 Subject: [PATCH] Fix #1599 for 2.7(.10) --- release-notes/VERSION | 2 + .../deser/BeanDeserializerFactory.java | 23 +++++++++++ .../interop/IllegalTypesCheckTest.java | 40 +++++++++++++++++++ 3 files changed, 65 insertions(+) create mode 100644 src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java diff --git a/release-notes/VERSION b/release-notes/VERSION index 573e710786..62f74650db 100644 --- a/release-notes/VERSION +++ b/release-notes/VERSION @@ -6,6 +6,8 @@ Project: jackson-databind 2.7.10 (not yet released) +#1599: Jackson Deserializer security vulnerability + (reported by ayound@github) - Minor robustification of method resolution in `AnnotatedClass` 2.7.9 (04-Feb-2017) diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java index 9fcb68b4f6..ad37dd1700 100644 --- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java +++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java @@ -139,6 +139,8 @@ public JsonDeserializer createBeanDeserializer(DeserializationContext ct if (!isPotentialBeanType(type.getRawClass())) { return null; } + // For checks like [databind#1599] + checkIllegalTypes(ctxt, type, beanDesc); // Use generic bean introspection to build deserializer return buildBeanDeserializer(ctxt, type, beanDesc); } @@ -834,4 +836,25 @@ protected boolean isIgnorableType(DeserializationConfig config, BeanDescription // We default to 'false', i.e. not ignorable return (status == null) ? false : status.booleanValue(); } + + /** + * @since 2.8.9 + */ + protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type, + BeanDescription beanDesc) + throws JsonMappingException + { + // There are certain nasty classes that could cause problems, mostly + // via default typing -- catch them here. + Class raw = type.getRawClass(); + String name = raw.getSimpleName(); + + if ("TemplatesImpl".equals(name)) { // [databind#1599] + if (raw.getName().startsWith("com.sun.org.apache.xalan")) { + throw JsonMappingException.from(ctxt, + String.format("Illegal type (%s) to deserialize: prevented for security reasons", + name)); + } + } + } } diff --git a/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java b/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java new file mode 100644 index 0000000000..1906eadb6a --- /dev/null +++ b/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java @@ -0,0 +1,40 @@ +package com.fasterxml.jackson.databind.interop; + +import com.fasterxml.jackson.databind.*; + +/** + * Test case(s) to guard against handling of types that are illegal to handle + * due to security constraints. + */ +public class IllegalTypesCheckTest extends BaseMapTest +{ + static class Bean1599 { + public int id; + public Object obj; + } + + public void testIssue1599() throws Exception + { + final String JSON = aposToQuotes( + "{'id': 124,\n" ++" 'obj':[ 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl',\n" ++" {\n" ++" 'transletBytecodes' : [ 'AAIAZQ==' ],\n" ++" 'transletName' : 'a.b',\n" ++" 'outputProperties' : { }\n" ++" }\n" ++" ]\n" ++"}" + ); + ObjectMapper mapper = new ObjectMapper(); + mapper.enableDefaultTyping(); + try { + mapper.readValue(JSON, Bean1599.class); + fail("Should not pass"); + } catch (JsonMappingException e) { + verifyException(e, "Illegal type"); + verifyException(e, "to deserialize"); + verifyException(e, "prevented for security reasons"); + } + } +}