> I thought it might be useful to not allow the above whitelisting of everything
Sounds like a good idea to me. Artem On Saturday, October 5, 2019 at 8:12:19 PM UTC+2, Joe B wrote: > > Cross posting from > https://github.com/FasterXML/jackson-databind/issues/2483 . > First thank you for addressing the polymorphic deserialization > vulnerabilities. > But in 2.10, by a dev doing something like > > PolymorphicTypeValidator ptv = BasicPolymorphicTypeValidator.builder() . > allowIfSubType(Object.class/Serializable.class) .build(); > > > > It is possible to enable all classes to be allowed to be deserialized. > While it is not possible to completely block this, (someone could write > their own validator ). In reality they are unlikely to and most will use > your BasicPolymorphicTypeValidator. So to help make it more secure from > developers that don't understand the potential vulnerabilities they are > adding. I thought it might be useful to not allow the above whitelisting of > everything, ( if that is set thrown an exception ). But allow it using it's > own method call, something like > PolymorphicTypeValidator ptv = BasicPolymorphicTypeValidator.builder() . > allowSubType_Insecure(Object.class/Serializable.class) .build(); > > That way it is flagging to the developer that they are doing something > insecure and that they should think again. > > -- You received this message because you are subscribed to the Google Groups "jackson-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-dev/cd772420-42b8-4682-8860-5345a21b7d9e%40googlegroups.com.
