Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Fix #1599 for 2.8.9
Merge branch '2.7' into 2.8
- Loading branch information
Showing
3 changed files
with
91 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
40 changes: 40 additions & 0 deletions
40
src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
package com.fasterxml.jackson.databind.interop; | ||
|
||
import com.fasterxml.jackson.databind.*; | ||
|
||
/** | ||
* Test case(s) to guard against handling of types that are illegal to handle | ||
* due to security constraints. | ||
*/ | ||
public class IllegalTypesCheckTest extends BaseMapTest | ||
{ | ||
static class Bean1599 { | ||
public int id; | ||
public Object obj; | ||
} | ||
|
||
public void testIssue1599() throws Exception | ||
{ | ||
final String JSON = aposToQuotes( | ||
"{'id': 124,\n" | ||
+" 'obj':[ 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl',\n" | ||
+" {\n" | ||
+" 'transletBytecodes' : [ 'AAIAZQ==' ],\n" | ||
+" 'transletName' : 'a.b',\n" | ||
+" 'outputProperties' : { }\n" | ||
+" }\n" | ||
+" ]\n" | ||
+"}" | ||
); | ||
ObjectMapper mapper = new ObjectMapper(); | ||
mapper.enableDefaultTyping(); | ||
try { | ||
mapper.readValue(JSON, Bean1599.class); | ||
fail("Should not pass"); | ||
} catch (JsonMappingException e) { | ||
verifyException(e, "Illegal type"); | ||
verifyException(e, "to deserialize"); | ||
verifyException(e, "prevented for security reasons"); | ||
} | ||
} | ||
} |
60d459c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so, if i want to update to 2.8.9, can i use dependency ways?
60d459c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@JoyChou93 not sure I understand the question. 2.8.9 not released yet; may take a while since there are only 2 fixes so far. You can build a snapshot, or use one from Maven Central I think.
60d459c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello there,
I was testing this issue in one application and I found this test, but I would like to know what it tries to do before executing it on the application. Could you please give me more information?
60d459c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Test verifies that polymorphic deserialization can not be used to execute malicious code.
There is a (relatively) well-known potential hole in certain versions of Apache Xalan, included in some versions of JDK (Xalan itself on many, but newer versions have patched version which does NOT have the problem)), and added code will not allow this class (or couple of other potentially problematic ones) to be deserialized. Hope this helps. Check out comments on issue 1599 for a link to one good article on general problem (article on possible security problems with a number of Java libraries).