|
 |
194f44 |
--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java 2016-07-23 03:36:51.000000000 +0100
|
|
|
194f44 |
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java 2017-07-20 15:42:39.836790820 +0100
|
|
|
194f44 |
@@ -139,6 +139,8 @@
|
|
|
194f44 |
if (!isPotentialBeanType(type.getRawClass())) {
|
|
|
194f44 |
return null;
|
|
|
194f44 |
}
|
|
|
194f44 |
+ // For checks like [databind#1599]
|
|
|
194f44 |
+ checkIllegalTypes(ctxt, type, beanDesc);
|
|
|
194f44 |
// Use generic bean introspection to build deserializer
|
|
|
194f44 |
return buildBeanDeserializer(ctxt, type, beanDesc);
|
|
|
194f44 |
}
|
|
|
194f44 |
@@ -826,4 +828,22 @@
|
|
|
194f44 |
// We default to 'false', i.e. not ignorable
|
|
|
194f44 |
return (status == null) ? false : status.booleanValue();
|
|
|
194f44 |
}
|
|
|
194f44 |
+
|
|
|
194f44 |
+ protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
|
|
|
194f44 |
+ BeanDescription beanDesc)
|
|
|
194f44 |
+ throws JsonMappingException
|
|
|
194f44 |
+ {
|
|
|
194f44 |
+ // There are certain nasty classes that could cause problems, mostly
|
|
|
194f44 |
+ // via default typing -- catch them here.
|
|
|
194f44 |
+ Class raw = type.getRawClass();
|
|
|
194f44 |
+ String name = raw.getSimpleName();
|
|
|
194f44 |
+
|
|
|
194f44 |
+ if ("TemplatesImpl".equals(name)) { // [databind#1599]
|
|
|
194f44 |
+ if (raw.getName().startsWith("com.sun.org.apache.xalan")) {
|
|
|
194f44 |
+ throw JsonMappingException.from(ctxt,
|
|
|
194f44 |
+ String.format("Illegal type (%s) to deserialize: prevented for security reasons",
|
|
|
194f44 |
+ name));
|
|
|
194f44 |
+ }
|
|
|
194f44 |
+ }
|
|
|
194f44 |
+ }
|
|
|
194f44 |
}
|
|
|
194f44 |
--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
|
|
|
194f44 |
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
|
|
|
194f44 |
@@ -39,7 +39,33 @@
|
|
|
194f44 |
private final static Class[] INIT_CAUSE_PARAMS = new Class[] { Throwable.class };
|
|
|
194f44 |
|
|
|
194f44 |
private final static Class[] NO_VIEWS = new Class[0];
|
|
|
194f44 |
-
|
|
|
194f44 |
+
|
|
|
194f44 |
+ /**
|
|
|
194f44 |
+ * Set of well-known "nasty classes", deserialization of which is considered dangerous
|
|
|
194f44 |
+ * and should (and is) prevented by default.
|
|
|
194f44 |
+ */
|
|
|
194f44 |
+ protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
|
|
|
194f44 |
+ static {
|
|
|
194f44 |
+ Set<String> s = new HashSet<String>();
|
|
|
194f44 |
+ // Courtesy of [https://github.com/kantega/notsoserial]:
|
|
|
194f44 |
+ // (and wrt [databind#1599]
|
|
|
194f44 |
+ s.add("org.apache.commons.collections.functors.InvokerTransformer");
|
|
|
194f44 |
+ s.add("org.apache.commons.collections.functors.InstantiateTransformer");
|
|
|
194f44 |
+ s.add("org.apache.commons.collections4.functors.InvokerTransformer");
|
|
|
194f44 |
+ s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
|
|
|
194f44 |
+ s.add("org.codehaus.groovy.runtime.ConvertedClosure");
|
|
|
194f44 |
+ s.add("org.codehaus.groovy.runtime.MethodClosure");
|
|
|
194f44 |
+ s.add("org.springframework.beans.factory.ObjectFactory");
|
|
|
194f44 |
+ s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
|
|
|
194f44 |
+ s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
|
|
|
194f44 |
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
|
|
|
194f44 |
+ }
|
|
|
194f44 |
+
|
|
|
194f44 |
+ /**
|
|
|
194f44 |
+ * Set of class names of types that are never to be deserialized.
|
|
|
194f44 |
+ */
|
|
|
194f44 |
+ protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES;
|
|
|
194f44 |
+
|
|
|
194f44 |
/*
|
|
|
194f44 |
/**********************************************************
|
|
|
194f44 |
/* Life-cycle
|
|
|
194f44 |
@@ -846,15 +871,11 @@ protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
|
|
|
194f44 |
{
|
|
|
194f44 |
// There are certain nasty classes that could cause problems, mostly
|
|
|
194f44 |
// via default typing -- catch them here.
|
|
|
194f44 |
- Class raw = type.getRawClass();
|
|
|
194f44 |
- String name = raw.getSimpleName();
|
|
|
194f44 |
-
|
|
|
194f44 |
- if ("TemplatesImpl".equals(name)) { // [databind#1599]
|
|
|
194f44 |
- if (raw.getName().startsWith("com.sun.org.apache.xalan")) {
|
|
|
194f44 |
- throw JsonMappingException.from(ctxt,
|
|
|
194f44 |
- String.format("Illegal type (%s) to deserialize: prevented for security reasons",
|
|
|
194f44 |
- name));
|
|
|
194f44 |
- }
|
|
|
194f44 |
+ String full = type.getRawClass().getName();
|
|
|
194f44 |
+
|
|
|
194f44 |
+ if (_cfgIllegalClassNames.contains(full)) {
|
|
|
194f44 |
+ throw JsonMappingException.from(ctxt.getParser(),
|
|
|
194f44 |
+ String.format("Illegal type (%s) to deserialize: prevented for security reasons", full));
|
|
|
194f44 |
}
|
|
|
194f44 |
}
|
|
|
194f44 |
}
|