Hi,
I'd like to use Jackson to deserialize JSON from an untrusted source into simple POJOs that can be used for further validation (checking that values are within allowed ranges, etc). I've read a couple of blog posts about deserialization attacks [1,2] and I'd like to ask if there are some simple instructions I can follow to ensure my code isn't vulnerable to these attacks, without having to keep up to date with the latest gadget blacklists. As far as I can tell from @cowtowncoder's blog post, I should avoid polymorphic type handling for any object or field whose declared type is broad enough to cover a gadget (Object, Serializable, etc). But the list of such types grows as new gadgets are discovered. So if I understand right, the only way to be safe against as-yet-undiscovered gadgets is to avoid polymorphic type handling altogether. That's absolutely fine - I haven't written the code yet, so I'm not stuck with a legacy decision to use polymorphic type handling. So in that case my question is how to use Jackson without polymorphic type handling: a) to parse a JSON string into a JsonNode that I can walk to create a POJO manually, or b) to parse a JSON string into a POJO directly? On the other hand, if I've misunderstood, and it's **not** necessary to avoid polymorphic type handling altogether, then how can I use it safely without keeping up to date with gadget blacklists? Thanks, Michael [1] https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 [2] https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/ -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user+unsubscr...@googlegroups.com. To post to this group, send email to jackson-user@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
