Backported CVE-2018-7489 (#3176)

Co-authored-by: Chin Wei Low <chinwei.low@persistent.com>
FasterXML · Jun 16, 2021 · ca2bfc8 · ca2bfc8
1 parent 2118e71
commit ca2bfc8
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 7 deletions.
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -17,6 +17,7 @@ Backported all CVE fixes up to CVE-2021-20190
 #2986: Block 2 more gadget types (commons-dbcp2, CVE-2020-35490 / CVE-2020-35491)
 #2854: Block one more gadget type (javax.swing, CVE-2021-20190)
 #2798: Block one more gadget type (com.pastdev.httpcomponents, CVE-2020-24750)
+#1931: Block two more gadgets to exploit default typing issue (c3p0, CVE-2018-7489)
 
 2.6.7.4 (25-Oct-2020)
 

diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
@@ -34,6 +34,10 @@ public class BeanDeserializerFactory
 {
     private static final long serialVersionUID = 1;
 
+    protected final static String PREFIX_SPRING = "org.springframework.";
+
+    protected final static String PREFIX_C3P0 = "com.mchange.v2.c3p0.";
+
     /**
      * Signature of <b>Throwable.initCause</b> method.
      */
@@ -1072,13 +1076,47 @@ private void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
     {
         // There are certain nasty classes that could cause problems, mostly
         // via default typing -- catch them here.
-        String full = type.getRawClass().getName();
+        final Class<?> raw = type.getRawClass();
+        String full = raw.getName();
 
-        if (_cfgIllegalClassNames.contains(full)) {
-            String message = String.format("Illegal type (%s) to deserialize: prevented for security reasons",
-                    full);
-            throw ctxt.mappingException("Invalid type definition for type %s: %s",
-                    beanDesc, message);
-        }
+        main_check:
+        do {
+            if (_cfgIllegalClassNames.contains(full)) {
+                break;
+            }
+
+            // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling
+            //    for some Spring framework types
+            // 05-Jan-2017, tatu: ... also, only applies to classes, not interfaces
+            if (raw.isInterface()) {
+                ;
+            } else if (full.startsWith(PREFIX_SPRING)) {
+                for (Class<?> cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()){
+                    String name = cls.getSimpleName();
+                    // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
+                    if ("AbstractPointcutAdvisor".equals(name)
+                            // ditto  for "FileSystemXmlApplicationContext": block all ApplicationContexts
+                            || "AbstractApplicationContext".equals(name)) {
+                        break main_check;
+                    }
+                }
+            } else if (full.startsWith(PREFIX_C3P0)) {
+                // [databind#1737]; more 3rd party
+                // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+                // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+                // [databind#1931]; more 3rd party
+                // com.mchange.v2.c3p0.ComboPooledDataSource
+                // com.mchange.v2.c3p0.debug.AfterCloseLoggingComboPooledDataSource 
+                if (full.endsWith("DataSource")) {
+                    break main_check;
+                }
+            }
+            return;
+        } while (false);
+
+        String message = String.format("Illegal type (%s) to deserialize: prevented for security reasons",
+                full);
+        throw ctxt.mappingException("Invalid type definition for type %s: %s",
+                beanDesc, message);
     }
 }