[Feedback wanted] It would be good if BasicPolymorphicTypeValidator blocked Object and Serializable by default.
8 views
Skip to first unread message
Joe B
Oct 5, 2019, 2:12:19 PM10/5/19
to jackson-dev
Cross posting from https://github.com/FasterXML/jackson-databind/issues/2483 .
That way it is flagging to the developer that they are doing something insecure and that they should think again.
First thank you for addressing the polymorphic deserialization vulnerabilities.
But in 2.10, by a dev doing something like
PolymorphicTypeValidator ptv = BasicPolymorphicTypeValidator.builder() .allowIfSubType(Object.class/Serializable.class) .build();
It is possible to enable all classes to be allowed to be deserialized. While it is not possible to completely block this, (someone could write their own validator ). In reality they are unlikely to and most will use your BasicPolymorphicTypeValidator. So to help make it more secure from developers that don't understand the potential vulnerabilities they are adding. I thought it might be useful to not allow the above whitelisting of everything, ( if that is set thrown an exception ). But allow it using it's own method call, something like
PolymorphicTypeValidator ptv = BasicPolymorphicTypeValidator.builder() .allowSubType_Insecure(Object.class/Serializable.class) .build();
That way it is flagging to the developer that they are doing something insecure and that they should think again.
Artem Smotrakov
Oct 28, 2019, 1:54:03 PM10/28/19
to jackson-dev
> I thought it might be useful to not allow the above whitelisting of everything
Sounds like a good idea to me.
Artem
Reply all
Reply to author
Forward
0 new messages