Cross posting from https://github.com/FasterXML/jackson-databind/issues/2483 . First thank you for addressing the polymorphic deserialization vulnerabilities. But in 2.10, by a dev doing something like
PolymorphicTypeValidator ptv = BasicPolymorphicTypeValidator.builder() . allowIfSubType(Object.class/Serializable.class) .build(); It is possible to enable all classes to be allowed to be deserialized. While it is not possible to completely block this, (someone could write their own validator ). In reality they are unlikely to and most will use your BasicPolymorphicTypeValidator. So to help make it more secure from developers that don't understand the potential vulnerabilities they are adding. I thought it might be useful to not allow the above whitelisting of everything, ( if that is set thrown an exception ). But allow it using it's own method call, something like PolymorphicTypeValidator ptv = BasicPolymorphicTypeValidator.builder() . allowSubType_Insecure(Object.class/Serializable.class) .build(); That way it is flagging to the developer that they are doing something insecure and that they should think again. -- You received this message because you are subscribed to the Google Groups "jackson-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-dev/443b5e54-1493-4faa-b4e7-b3dee7f38252%40googlegroups.com.
