-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Mark 1.0.0-SNAPSHOT and update README.
- Loading branch information
Showing
10 changed files
with
159 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
|
||
## dixmont | ||
|
||
Some useful extension classes for [jackson](https://github.com/FasterXML/jackson). | ||
|
||
### Features | ||
|
||
* Restricted JSON deserializer for preventing reflection-based serialization attacks. | ||
* Written in pure Java 17. | ||
* [OSGi](https://www.osgi.org/) ready. | ||
* [JPMS](https://en.wikipedia.org/wiki/Java_Platform_Module_System) ready. | ||
* ISC license. | ||
* High-coverage automated test suite. | ||
|
||
### Motivation | ||
|
||
Systems that use reflection to deserialize data are typically subject to | ||
[deserialization attacks](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html). | ||
The [jackson](https://github.com/FasterXML/jackson) JSON library is no | ||
exception to this. | ||
|
||
The `dixmont` package provides a blunt and brute-force means to reduce the | ||
impact of attacks: All of the permitted classes that can be deserialized are | ||
listed, and everything else is rejected. | ||
|
||
### Building | ||
|
||
``` | ||
$ mvn clean verify | ||
``` | ||
|
||
### Usage | ||
|
||
Create a restricted serializer that is permitted to deserialize only the | ||
given classes and no others, and then register it with an `ObjectMapper`: | ||
|
||
``` | ||
var serializers = | ||
DmJsonRestrictedDeserializers.builder() | ||
.allowClass(Optional.class) | ||
.allowClass(Path.class) | ||
.allowClass(String.class) | ||
.allowClass(URI.class) | ||
.allowClass(int.class) | ||
.allowClass(double.class) | ||
.allowClass(List.class) | ||
.allowClassName( | ||
"java.util.Optional<java.lang.Integer>") | ||
.allowClassName( | ||
"java.util.List<java.lang.String>") | ||
.build(); | ||
|
||
var mapper = | ||
JsonMapper.builder() | ||
.build(); | ||
|
||
final var simpleModule = new SimpleModule(); | ||
simpleModule.setDeserializers(this.serializers); | ||
mapper.registerModule(simpleModule); | ||
``` | ||
|
||
Parser code using the given `ObjectMapper` will be prevented from deserializing | ||
values of anything other than the given classes. Hostile JSON text that attempts | ||
to get the deserializer to instantiate other classes will fail. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters