Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4544

Using unsafe Jackson deserialization configuration is security-sensitive

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure using this Jackson deserialization configuration is safe here.
    • Highlighting:
      • call to enableDefaultTyping()
      • @JsonTypeInfo + JsonTypeInfo.Id.CLASS or JsonTypeInfo.Id.MINIMAL_CLASS
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Covered Languages:
      Java
    • Irrelevant for Languages:
      ABAP, C#, C, C++, Cobol, CSS, Flex, Go, HTML, JavaScript, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      15min
    • Analysis Scope:
      Main Sources
    • CWE:
      CWE-502
    • OWASP:
      A8
    • FindSecBugs:
      JACKSON_UNSAFE_DESERIALIZATION

      Description

      Using unsafe Jackson deserialization configuration is security-sensitive. It has led in the past to the following vulnerabilities:

      When Jackson is configured to allow Polymorphic Type Handling (aka PTH), formerly known as Polymorphic Deserialization, "deserialization gadgets" may allow an attacker to perform remote code execution.

      This rule raises an issue when:

      • enableDefaultTyping() is called on an instance of com.fasterxml.jackson.databind.ObjectMapper or org.codehaus.jackson.map.ObjectMapper.
      • or when the annotation @JsonTypeInfo is set at class or field levels and configured with use = JsonTypeInfo.Id.CLASS) or use = Id.MINIMAL_CLASS.

      Ask Yourself Whether

      • You configured the Jackson deserializer as mentioned above.
      • The serialized data might come from an untrusted source.

      You may be at risk if you answered yes to these questions.

      Recommended Secure Coding Practices

      • Use the latest patch versions of jackson-databind blocking the already discovered "deserialization gadgets".
      • Avoid using the default typing configuration: ObjectMapper.enableDefaultTyping().
      • If possible, use @JsonTypeInfo(use = Id.NAME) instead of @JsonTypeInfo(use = Id.CLASS) or @JsonTypeInfo(use = Id. MINIMAL_CLASS) and so rely on @JsonTypeName and @JsonSubTypes.

      Sensitive Code Example

      ObjectMapper mapper = new ObjectMapper();
      mapper.enableDefaultTyping(); // Sensitive
      
      @JsonTypeInfo(use = Id.CLASS) // Sensitive
      abstract class PhoneNumber {
      }
      

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                alexandre.gigleux Alexandre Gigleux
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: