109 - VID_LANGUAGE_JAVA_JACKSON

Links


• https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
• https://snyk.io/blog/java-json-deserialization-problems-jackson-objectmapper/

Vulnerable examples


1. Requires @JsonTypeInfo(use = Id.CLASS, include = As.WRAPPER_ARRAY) or mapper.enableDefaultTyping()

2. Requires a daughter object of java.lang.Object or java.util.Serializable to be able to access a lot of classes

Non-vulnerable examples


These two examples are not vulnerable because

1. The class that is being deserialised does not contain a daughter Object. 2. The bean that is being deserialised is using @JsonTypeInfo(use = Id.NAME)

 public class JacksonSerialisationFalsePositive implements Serializable {
    static class Bean {
        @JsonTypeInfo (use = JsonTypeInfo.Id.NAME)
        public Object obj;
    }

    public void exampleOne(String JSON)  throws Exception {
        ObjectMapper mapper = new ObjectMapper();
        Object obj = mapper.readValue(JSON, JacksonSerialisationFalsePositive.class);
    }

    public void exampleTwo(String JSON)  throws Exception {
        ObjectMapper mapper = new ObjectMapper();
        Object obj = mapper.readValue(JSON, Bean.class);
    }
}
public class JacksonSerialisationFalsePositive implements Serializable {