To support polymorphic deserialization, I enabled default typing in Jackson. //my usage: objectMapper.enableDefaultTypingAsProperty(ObjectMapper.DefaultTyping.NON_FINAL, "@class");
I am using latest version 2.9.8. Security scan tool found Jackson contains a pre-defined black list for blocking known cases, but new ones are found over time so that at any given time there may be unblocked attack vectors. Not sure if Jackson will release a new build to fix it completely. Some article mentioned to add annotation in polymorphic base class, "@JsonTypeInfo(use=JsonTypeInfo.Id.CLASS, include=JsonTypeInfo.As.PROPERTY, property="@class")". This will make java domain class has Jackson dependency. Our java domain classes are shared by a very large applications, so I don't want to add additional dependencies which may not be used. At this time, what is the best way to fix it in my side? -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/d/optout.
