From 2235894210c75f624a3d0cd60bfb0434a20a18bf Mon Sep 17 00:00:00 2001
From: Tatu Saloranta <tatu.saloranta@iki.fi>
Date: Mon, 18 Dec 2017 21:41:51 -0800
Subject: [PATCH] Fix #1855
---
.../databind/deser/BeanDeserializerFactory.java | 54 ++----------
.../databind/jsontype/impl/SubTypeValidator.java | 98 ++++++++++++++++++++++
2 files changed, 103 insertions(+), 49 deletions(-)
create mode 100644 src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
index 217ffd9c6..b462c0c74 100644
--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
@@ -12,6 +12,7 @@
import com.fasterxml.jackson.databind.deser.std.ThrowableDeserializer;
import com.fasterxml.jackson.databind.introspect.*;
import com.fasterxml.jackson.databind.jsontype.TypeDeserializer;
+import com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator;
import com.fasterxml.jackson.databind.util.ArrayBuilders;
import com.fasterxml.jackson.databind.util.ClassUtil;
import com.fasterxml.jackson.databind.util.SimpleBeanPropertyDefinition;
@@ -40,44 +41,6 @@
private final static Class<?>[] NO_VIEWS = new Class<?>[0];
- /**
- * Set of well-known "nasty classes", deserialization of which is considered dangerous
- * and should (and is) prevented by default.
- */
- protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
- static {
- Set<String> s = new HashSet<String>();
- // Courtesy of [https://github.com/kantega/notsoserial]:
- // (and wrt [databind#1599])
- s.add("org.apache.commons.collections.functors.InvokerTransformer");
- s.add("org.apache.commons.collections.functors.InstantiateTransformer");
- s.add("org.apache.commons.collections4.functors.InvokerTransformer");
- s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
- // 05-Aug-2017, tatu: as per [https://github.com/mbechler/marshalsec/blob/master/marshalsec.pdf]
- // this is NOT likely to be exploitable via Jackson. But keep excluded just in case.
- s.add("org.codehaus.groovy.runtime.ConvertedClosure");
- s.add("org.codehaus.groovy.runtime.MethodClosure");
- s.add("org.springframework.beans.factory.ObjectFactory");
- s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
- s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
- // [databind#1680]: may or may not be problem, take no chance
- s.add("com.sun.rowset.JdbcRowSetImpl");
- // [databind#1737]; JDK provided
- s.add("java.util.logging.FileHandler");
- s.add("java.rmi.server.UnicastRemoteObject");
- // [databind#1737]; 3rd party
- s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
- s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
- s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
- s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
-
- DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
- }
-
- /**
- * Set of class names of types that are never to be deserialized.
- */
- protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES;
/*
/**********************************************************
@@ -179,7 +142,7 @@ public DeserializerFactory withConfig(DeserializerFactoryConfig config)
return null;
}
// For checks like [databind#1599]
- checkIllegalTypes(ctxt, type, beanDesc);
+ _validateSubType(ctxt, type, beanDesc);
// Use generic bean introspection to build deserializer
return buildBeanDeserializer(ctxt, type, beanDesc);
}
@@ -878,17 +841,10 @@
return (status == null) ? false : status.booleanValue();
}
- protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
+ protected void _validateSubType(DeserializationContext ctxt, JavaType type,
BeanDescription beanDesc)
throws JsonMappingException
{
- // There are certain nasty classes that could cause problems, mostly
- // via default typing -- catch them here.
- String full = type.getRawClass().getName();
-
- if (_cfgIllegalClassNames.contains(full)) {
- throw JsonMappingException.from(ctxt.getParser(),
- String.format("Illegal type (%s) to deserialize: prevented for security reasons", full));
- }
+ SubTypeValidator.instance().validateSubType(ctxt, type);
}
}
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
new file mode 100644
index 000000000..8a273cc15
--- /dev/null
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -0,0 +1,98 @@
+package com.fasterxml.jackson.databind.jsontype.impl;
+
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.JavaType;
+import com.fasterxml.jackson.databind.JsonMappingException;
+
+/**
+ * Helper class used to encapsulate rules that determine subtypes that
+ * are invalid to use, even with default typing, mostly due to security
+ * concerns.
+ * Used by <code>BeanDeserializerFacotry</code>
+ *
+ * @since 2.8.11
+ */
+public class SubTypeValidator
+{
+ protected final static String PREFIX_STRING = "org.springframework.";
+ /**
+ * Set of well-known "nasty classes", deserialization of which is considered dangerous
+ * and should (and is) prevented by default.
+ */
+ protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
+ static {
+ Set<String> s = new HashSet<String>();
+ // Courtesy of [https://github.com/kantega/notsoserial]:
+ // (and wrt [databind#1599])
+ s.add("org.apache.commons.collections.functors.InvokerTransformer");
+ s.add("org.apache.commons.collections.functors.InstantiateTransformer");
+ s.add("org.apache.commons.collections4.functors.InvokerTransformer");
+ s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
+ s.add("org.codehaus.groovy.runtime.ConvertedClosure");
+ s.add("org.codehaus.groovy.runtime.MethodClosure");
+ s.add("org.springframework.beans.factory.ObjectFactory");
+ s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
+ s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
+ // [databind#1680]: may or may not be problem, take no chance
+ s.add("com.sun.rowset.JdbcRowSetImpl");
+ // [databind#1737]; JDK provided
+ s.add("java.util.logging.FileHandler");
+ s.add("java.rmi.server.UnicastRemoteObject");
+ // [databind#1737]; 3rd party
+//s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
+ s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+ s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+ s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+ // [databind#1855]: more 3rd party
+ s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
+ s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
+
+ /**
+ * Set of class names of types that are never to be deserialized.
+ */
+ protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES;
+
+ private final static SubTypeValidator instance = new SubTypeValidator();
+
+ protected SubTypeValidator() { }
+
+ public static SubTypeValidator instance() { return instance; }
+
+ public void validateSubType(DeserializationContext ctxt, JavaType type) throws JsonMappingException
+ {
+ // There are certain nasty classes that could cause problems, mostly
+ // via default typing -- catch them here.
+ final Class<?> raw = type.getRawClass();
+ String full = raw.getName();
+
+ do {
+ if (_cfgIllegalClassNames.contains(full)) {
+ break;
+ }
+
+ // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling
+ // for some Spring framework types
+ if (full.startsWith(PREFIX_STRING)) {
+ for (Class<?> cls = raw; cls != Object.class; cls = cls.getSuperclass()) {
+ String name = cls.getSimpleName();
+ // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
+ if ("AbstractPointcutAdvisor".equals(name)
+ // ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts
+ || "AbstractApplicationContext.equals".equals(name)) {
+ break;
+ }
+ }
+ }
+ return;
+ } while (false);
+
+ throw JsonMappingException.from(ctxt.getParser(),
+ String.format("Illegal type (%s) to deserialize: prevented for security reasons", full));
+ }
+}