On 11/10/2018 02:11, Tatu Saloranta wrote: > On Wed, Oct 10, 2018 at 9:32 AM Michael Rogers <[email protected]> > wrote: >> >> Hi Tatu, >> >> Thanks for your reply (and sorry for the duplicate posts). >> >> We don't need to do anything complex, so I'd just like to confirm >> whether the following things are safe: >> >> 1. Create a new ObjectMapper without calling enableDefaultTyping(). Use >> readTree(String) to parse a JsonNode from an untrusted String. >> >> 2. Create a POJO class that doesn't use any Jackson annotations, and >> doesn't have any fields with types that are broad enough to cover >> gadgets. Create a new ObjectMapper without calling >> enableDefaultTyping(). Use readValue(String, Class) to parse a POJO from >> an untrusted String. >> >> 3. As above, except the POJO class has a field with a type that could >> cover a gadget, such as Object. But we're still not using any >> annotations or enabling default typing. > > Correct: all 3 usages listed are safe. > > Deserialization without polymorphism (via type id) can only map to > other types if: > > 1. User has specified mapping from abstract to concrete type (to allow > for mapping, say, `User` to `UserImpl`) OR > 2. There is a deserializer (standard Jackson one or custom) that > creates an instance of concrete subtype > 3. Special case of `java.lang.Object` uses "natural" mapping to Lists, > Maps, wrappers and nulls. > > So, declaring a field as, say, `Object` does not invoke gadget > construction without explicit indication of polymorphism (and > matching id), nor does `java.io.Serializable`. > > Use of annotations other than `@JsonTypeInfo` does not enable unsafe > handling either. > > -+ Tatu +-
Fantastic - thanks very much for your help. Cheers, Michael -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/d/optout.
0x11044FD19FC527CC.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
