Advice on whitelisting

[Mark Raynsford]

Hello!

I'm using Jackson to consume data returned by the AdoptOpenJDK API [0].
This JSON doesn't contain type annotations, but I do know all of the
types ahead of time thanks to their publishing of a schema via Swagger.

I've defined the set of types published by the API:

https://raw.githubusercontent.com/AdoptOpenJDK/openjdk-api-java-client/feature/v3/net.adoptopenjdk.v3.vanilla/src/main/java/net/adoptopenjdk/v3/vanilla/AOV3AST.java

Deserializing values of these types works correctly when using an object
mapper that uses nearly the default settings:

https://raw.githubusercontent.com/AdoptOpenJDK/openjdk-api-java-client/feature/v3/net.adoptopenjdk.v3.vanilla/src/main/java/net/adoptopenjdk/v3/vanilla/AOV3ObjectMappers.java

However, for reasons of paranoia, I'd now like to configure the object
mapper such that the set of types it is allowed to deserialize is
fixed. In other words: A deserialization whitelist. Specifically, the
whitelist would look like this:

net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3ReleaseNamesJSON
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3AvailableReleasesJSON
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3ReleaseVersionJSON
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3ReleaseVersionsJSON
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3InstallerJSON
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3PackageJSON
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3BinaryJSON
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3SourceJSON
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3ReleaseJSON
java.math.BigInteger
java.net.URI
java.util.List

Additionally, I'd need one concrete List implementation, but I'm not
sure which that would be. I'm happy to use whatever Jackson is choosing
internally.

What is the most efficient way to set up this whitelist?

--
Mark Raynsford | http://www.io7m.com

[0] https://api.adoptopenjdk.net/swagger-ui/#/

[Tatu Saloranta]

Jackson does not have out-of-the-box support for whitelisting all
types allowed for general use; it only supports this for validating
polymorphic deserialization (which is explained f.ex in
https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba).

But if you want, you should be able to implement this relatively
easily by registering `Deserializers` (custom provider for
deserializers) that will verify that type for which deserializer is
needed is legit (class from list you define), and throws `Exception`
if not, return `null` if it is (to let default JsonDeserializer be
used).
Provider needs to be added by a `Module` using `ObjectMapper.registerModule()`.

Simplest way to do that would probably be to subclass
`SimpleDeserializers`, override `_find(JavaType)` method, then
construct `SimpleModule`, call `setDeserializers(...)`, register
resulting module.

I hope this helps,

-+ Tatu +-

[Mark Raynsford]

On 2020-03-28T17:24:31 -0700

Tatu Saloranta <ta...@fasterxml.com> wrote:
>
> Jackson does not have out-of-the-box support for whitelisting all
> types allowed for general use; it only supports this for validating
> polymorphic deserialization (which is explained f.ex in
> https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba).

Yep, this was the post I read originally but couldn't work out if it
applied to me. It seems like it doesn't, given that I can't get type
annotations into the input JSON.

> But if you want, you should be able to implement this relatively
> easily by registering `Deserializers` (custom provider for
> deserializers) that will verify that type for which deserializer is
> needed is legit (class from list you define), and throws `Exception`
> if not, return `null` if it is (to let default JsonDeserializer be
> used).
> Provider needs to be added by a `Module` using `ObjectMapper.registerModule()`.
>
> Simplest way to do that would probably be to subclass
> `SimpleDeserializers`, override `_find(JavaType)` method, then
> construct `SimpleModule`, call `setDeserializers(...)`, register
> resulting module.

Sounds good, thanks! I'll give it a shot.

[Tatu Saloranta]

On Sun, Mar 29, 2020 at 7:42 AM Mark Raynsford
<list+com.faster...@io7m.com> wrote:
>
> On 2020-03-28T17:24:31 -0700
> Tatu Saloranta <ta...@fasterxml.com> wrote:
> >
> > Jackson does not have out-of-the-box support for whitelisting all
> > types allowed for general use; it only supports this for validating
> > polymorphic deserialization (which is explained f.ex in
> > https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba).
>
> Yep, this was the post I read originally but couldn't work out if it
> applied to me. It seems like it doesn't, given that I can't get type
> annotations into the input JSON.

Right. And you really shouldn't, unless it is actually needed.
Static type safety has its benefits, esp. in preventing possibility of
attacker abusing types outside of your class definitions.

> > But if you want, you should be able to implement this relatively
> > easily by registering `Deserializers` (custom provider for
> > deserializers) that will verify that type for which deserializer is
> > needed is legit (class from list you define), and throws `Exception`
> > if not, return `null` if it is (to let default JsonDeserializer be
> > used).
> > Provider needs to be added by a `Module` using `ObjectMapper.registerModule()`.
> >
> > Simplest way to do that would probably be to subclass
> > `SimpleDeserializers`, override `_find(JavaType)` method, then
> > construct `SimpleModule`, call `setDeserializers(...)`, register
> > resulting module.
>
> Sounds good, thanks! I'll give it a shot.

Good luck!

-+ Tatu +-