Preliminary blocks for #2052: not actually sure if there is vuln via …

…gadgets, but they seem suspicious enough to block tentatively
FasterXML · Jun 1, 2018 · 7487cf7 · 7487cf7
1 parent 051bd5e
commit 7487cf7
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -60,6 +60,12 @@ public class SubTypeValidator
         // [databind#2032]: more 3rd party; data exfiltration via xml parsed ext entities
         s.add("org.apache.ibatis.parsing.XPathParser");
 
+        // [databind#2052]: ldap approaches; in all cases LDAP connection String is passed
+        //   and access attempt is made:
+        s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
+        s.add("jodd.db.connection.DataSourceConnectionProvider");
+        s.add("oracle.jdbc.rowset.OracleJDBCRowSet");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }