Advice on whitelisting
13 views
Skip to first unread message
Mark Raynsford
Mar 27, 2020, 4:27:33 PM3/27/20
to jackso...@googlegroups.com
Hello!
I'm using Jackson to consume data returned by the AdoptOpenJDK API [0].
This JSON doesn't contain type annotations, but I do know all of the
types ahead of time thanks to their publishing of a schema via Swagger.
I've defined the set of types published by the API:
https://raw.githubusercontent.com/AdoptOpenJDK/openjdk-api-java-client/feature/v3/net.adoptopenjdk.v3.vanilla/src/main/java/net/adoptopenjdk/v3/vanilla/AOV3AST.java
Deserializing values of these types works correctly when using an object
mapper that uses nearly the default settings:
https://raw.githubusercontent.com/AdoptOpenJDK/openjdk-api-java-client/feature/v3/net.adoptopenjdk.v3.vanilla/src/main/java/net/adoptopenjdk/v3/vanilla/AOV3ObjectMappers.java
However, for reasons of paranoia, I'd now like to configure the object
mapper such that the set of types it is allowed to deserialize is
fixed. In other words: A deserialization whitelist. Specifically, the
whitelist would look like this:
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3ReleaseNamesJSON
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3AvailableReleasesJSON
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3ReleaseVersionJSON
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3ReleaseVersionsJSON
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3InstallerJSON
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3PackageJSON
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3BinaryJSON
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3SourceJSON
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3ReleaseJSON
java.math.BigInteger
java.net.URI
java.util.List
Additionally, I'd need one concrete List implementation, but I'm not
sure which that would be. I'm happy to use whatever Jackson is choosing
internally.
What is the most efficient way to set up this whitelist?
--
Mark Raynsford | http://www.io7m.com
[0] https://api.adoptopenjdk.net/swagger-ui/#/
I'm using Jackson to consume data returned by the AdoptOpenJDK API [0].
This JSON doesn't contain type annotations, but I do know all of the
types ahead of time thanks to their publishing of a schema via Swagger.
I've defined the set of types published by the API:
https://raw.githubusercontent.com/AdoptOpenJDK/openjdk-api-java-client/feature/v3/net.adoptopenjdk.v3.vanilla/src/main/java/net/adoptopenjdk/v3/vanilla/AOV3AST.java
Deserializing values of these types works correctly when using an object
mapper that uses nearly the default settings:
https://raw.githubusercontent.com/AdoptOpenJDK/openjdk-api-java-client/feature/v3/net.adoptopenjdk.v3.vanilla/src/main/java/net/adoptopenjdk/v3/vanilla/AOV3ObjectMappers.java
However, for reasons of paranoia, I'd now like to configure the object
mapper such that the set of types it is allowed to deserialize is
fixed. In other words: A deserialization whitelist. Specifically, the
whitelist would look like this:
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3ReleaseNamesJSON
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3AvailableReleasesJSON
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3ReleaseVersionJSON
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3ReleaseVersionsJSON
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3InstallerJSON
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3PackageJSON
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3BinaryJSON
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3SourceJSON
net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3ReleaseJSON
java.math.BigInteger
java.net.URI
java.util.List
Additionally, I'd need one concrete List implementation, but I'm not
sure which that would be. I'm happy to use whatever Jackson is choosing
internally.
What is the most efficient way to set up this whitelist?
--
Mark Raynsford | http://www.io7m.com
[0] https://api.adoptopenjdk.net/swagger-ui/#/
Tatu Saloranta
Mar 28, 2020, 8:24:44 PM3/28/20
to jackson-user
types allowed for general use; it only supports this for validating
polymorphic deserialization (which is explained f.ex in
https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba).
But if you want, you should be able to implement this relatively
easily by registering `Deserializers` (custom provider for
deserializers) that will verify that type for which deserializer is
needed is legit (class from list you define), and throws `Exception`
if not, return `null` if it is (to let default JsonDeserializer be
used).
Provider needs to be added by a `Module` using `ObjectMapper.registerModule()`.
Simplest way to do that would probably be to subclass
`SimpleDeserializers`, override `_find(JavaType)` method, then
construct `SimpleModule`, call `setDeserializers(...)`, register
resulting module.
I hope this helps,
-+ Tatu +-
Mark Raynsford
Mar 29, 2020, 10:42:58 AM3/29/20
to Tatu Saloranta, jackso...@googlegroups.com
On 2020-03-28T17:24:31 -0700
applied to me. It seems like it doesn't, given that I can't get type
annotations into the input JSON.
> But if you want, you should be able to implement this relatively
> easily by registering `Deserializers` (custom provider for
> deserializers) that will verify that type for which deserializer is
> needed is legit (class from list you define), and throws `Exception`
> if not, return `null` if it is (to let default JsonDeserializer be
> used).
> Provider needs to be added by a `Module` using `ObjectMapper.registerModule()`.
>
> Simplest way to do that would probably be to subclass
> `SimpleDeserializers`, override `_find(JavaType)` method, then
> construct `SimpleModule`, call `setDeserializers(...)`, register
> resulting module.
Sounds good, thanks! I'll give it a shot.
Tatu Saloranta <ta...@fasterxml.com> wrote:
>
> Jackson does not have out-of-the-box support for whitelisting all
> types allowed for general use; it only supports this for validating
> polymorphic deserialization (which is explained f.ex in
> https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba).
Yep, this was the post I read originally but couldn't work out if it
>
> Jackson does not have out-of-the-box support for whitelisting all
> types allowed for general use; it only supports this for validating
> polymorphic deserialization (which is explained f.ex in
> https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba).
applied to me. It seems like it doesn't, given that I can't get type
annotations into the input JSON.
> But if you want, you should be able to implement this relatively
> easily by registering `Deserializers` (custom provider for
> deserializers) that will verify that type for which deserializer is
> needed is legit (class from list you define), and throws `Exception`
> if not, return `null` if it is (to let default JsonDeserializer be
> used).
> Provider needs to be added by a `Module` using `ObjectMapper.registerModule()`.
>
> Simplest way to do that would probably be to subclass
> `SimpleDeserializers`, override `_find(JavaType)` method, then
> construct `SimpleModule`, call `setDeserializers(...)`, register
> resulting module.
Tatu Saloranta
Mar 29, 2020, 1:28:15 PM3/29/20
to Mark Raynsford, jackson-user
On Sun, Mar 29, 2020 at 7:42 AM Mark Raynsford
<list+com.faster...@io7m.com> wrote:
>
> On 2020-03-28T17:24:31 -0700
> Tatu Saloranta <ta...@fasterxml.com> wrote:
> >
> > Jackson does not have out-of-the-box support for whitelisting all
> > types allowed for general use; it only supports this for validating
> > polymorphic deserialization (which is explained f.ex in
> > https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba).
>
> Yep, this was the post I read originally but couldn't work out if it
> applied to me. It seems like it doesn't, given that I can't get type
> annotations into the input JSON.
Right. And you really shouldn't, unless it is actually needed.
<list+com.faster...@io7m.com> wrote:
>
> On 2020-03-28T17:24:31 -0700
> Tatu Saloranta <ta...@fasterxml.com> wrote:
> >
> > Jackson does not have out-of-the-box support for whitelisting all
> > types allowed for general use; it only supports this for validating
> > polymorphic deserialization (which is explained f.ex in
> > https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba).
>
> Yep, this was the post I read originally but couldn't work out if it
> applied to me. It seems like it doesn't, given that I can't get type
> annotations into the input JSON.
Static type safety has its benefits, esp. in preventing possibility of
attacker abusing types outside of your class definitions.
> > But if you want, you should be able to implement this relatively
> > easily by registering `Deserializers` (custom provider for
> > deserializers) that will verify that type for which deserializer is
> > needed is legit (class from list you define), and throws `Exception`
> > if not, return `null` if it is (to let default JsonDeserializer be
> > used).
> > Provider needs to be added by a `Module` using `ObjectMapper.registerModule()`.
> >
> > Simplest way to do that would probably be to subclass
> > `SimpleDeserializers`, override `_find(JavaType)` method, then
> > construct `SimpleModule`, call `setDeserializers(...)`, register
> > resulting module.
>
> Sounds good, thanks! I'll give it a shot.
-+ Tatu +-
Reply all
Reply to author
Forward
0 new messages