-
Notifications
You must be signed in to change notification settings - Fork 5.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using unsafe Jackson deserialization configuration is security-sensitive #11096
Comments
Hi @eleftherias , I can take this if @rwinch is overloaded :)
Should I fix this and choose one common usage? |
I have a concern of doing like this: If customer has 2 replicas of his application: application-1 and application-2, they share the session but use different spring-security version(canary release). The |
As I can see they should rely on |
A few things:
Given the information above this is not a priority for the Security team at this time. However, if someone is interested in submitting a PR to change this behavior, we can consider it for Spring Security 6 as a breaking change. If someone is interested, the best place to start is to say you would like to work on the issue. Then put together a draft PR with changes to a single class. Please keep in mind that existing tests should pass except for changing the type information to be a name instead of a class. |
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed. |
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue. |
Context
Code analysis tool reported a problem about spring-security.
Related Code:
https://github.com/spring-projects/spring-security/blob/5.6.2/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/ClientRegistrationMixin.java#L36-L43
Problem
Refs: https://rules.sonarsource.com/java/RSPEC-4544
The text was updated successfully, but these errors were encountered: