- Author: Pedric Kng
- Updated: 09 July 2018
CWE 502: Command injection via deserialization
Best practices for FasterXML/Jackson usage
- Avoid JsonTypeInfo annotation attributed with 'JsonTypeInfo.Id.Class'
@JsonTypeInfo(use=JsonTypeInfo.Id.CLASS)
public abstract class Bicycle {
...
}
public class RoadBike extends Bicycle{
...
}- Avoid usage of 'EnableDefaultTyping' vulnerable
ObjectMapper om = new ObjectMapper();
om.enableDefaultTyping();
Object o = om.readValue(json, List.class);- Avoid using java.lang.Object (or, java.util.Serializable) as the nominal type of polymorphic values
ObjectMapper om = new ObjectMapper();
Serializable o = om.readValue(json, List.class);Extend 'Java/Cx/Java_General/Find_Unsafe_Deserializers' See cxql example
Jackson Polymorphic Deserialization [1]
Blog on Jackson usage best practices [2]
Jackson deserialization exploit [3]