On Fri, Apr 12, 2019 at 7:00 PM <[email protected]> wrote: > > To support polymorphic deserialization, I enabled default typing in Jackson. > > //my usage: > > objectMapper.enableDefaultTypingAsProperty(ObjectMapper.DefaultTyping.NON_FINAL, > "@class"); > > I am using latest version 2.9.8. Security scan tool found Jackson contains a > pre-defined black list for blocking known cases, but new ones are found over > time so that at any given time there may be unblocked attack vectors. Not > sure if Jackson will release a new build to fix it completely.
Correct: as per (https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062) if you enable default typing with class name, block-list can only prevent known problems. There is work on-going to allow specifying custom criteria for acceptance, so 2.10 will have a mechanism, but since it requires API addition it will not be backported to previous versions. It is also not yet implemented; but is number one item on my list for 2.10 features to implement before the first release candidate. > Some article mentioned to add annotation in polymorphic base class, > "@JsonTypeInfo(use=JsonTypeInfo.Id.CLASS, include=JsonTypeInfo.As.PROPERTY, > property="@class")". Yes, as long as this type is something that you know can not contain problematic classes (and typically means it is base class you control), that would solve the problem. > This will make java domain class has Jackson dependency. Our java domain > classes are shared by a very large applications, so I don't want to add > additional dependencies which may not be used. > > At this time, what is the best way to fix it in my side? If you have a single base class (or small number of known ones), you could use mix-in annotations to achieve the same effect as adding annotation on class definition. You just need to associate that `@JsonTypeInfo` declaration on that base class (or base classes). There is an alternative mechanism that Spring Web / Boot use, I think, but I don't think it is something users should try to reimplement. But maybe Spring developers can share their implementation. -+ Tatu +- -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/d/optout.
