When Jackson is configured to allow Polymorphic Type Handling (aka PTH), formerly known as Polymorphic Deserialization, "deserialization gadgets" may allow an attacker to perform remote code execution.
This rule raises an issue when:
- enableDefaultTyping() is called on an instance of com.fasterxml.jackson.databind.ObjectMapper or
org.codehaus.jackson.map.ObjectMapper
- or when the annotation @JsonTypeInfo is set at class or field levels and configured with use = JsonTypeInfo.Id.CLASS)
or use = Id.MINIMAL_CLASS
ObjectMapper mapper = new ObjectMapper(); mapper.enableDefaultTyping(); // Noncompliant
@JsonTypeInfo(use = Id.CLASS) // Noncompliant
abstract class PhoneNumber {
}
- use the latest patch versions of jackson-databind blocking the already discovered "deserialization gadgets"
- avoid using the default typing configuration: ObjectMapper.enableDefaultTyping()
- use @JsonTypeInfo(use = Id.NAME) instead of @JsonTypeInfo(use = Id.CLASS) or @JsonTypeInfo(use = Id.
MINIMAL_CLASS) and so rely on @JsonTypeName and @JsonSubTypes