Links
• https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
• https://snyk.io/blog/java-json-deserialization-problems-jackson-objectmapper/
Vulnerable examples
1. Requires
@JsonTypeInfo(use = Id.CLASS, include = As.WRAPPER_ARRAY)
or
mapper.enableDefaultTyping()
2. Requires a daughter object of java.lang.Object or java.util.Serializable to be able to access a lot of classes
Non-vulnerable examples
These two examples are not vulnerable because
1. The class that is being deserialised does not contain a daughter Object. 2. The bean that is being deserialised is using
@JsonTypeInfo(use = Id.NAME)
public class JacksonSerialisationFalsePositive implements Serializable { static class Bean { @JsonTypeInfo (use = JsonTypeInfo.Id.NAME) public Object obj; } public void exampleOne(String JSON) throws Exception { ObjectMapper mapper = new ObjectMapper(); Object obj = mapper.readValue(JSON, JacksonSerialisationFalsePositive.class); } public void exampleTwo(String JSON) throws Exception { ObjectMapper mapper = new ObjectMapper(); Object obj = mapper.readValue(JSON, Bean.class); } }
public class JacksonSerialisationFalsePositive implements Serializable {