When Jackson is configured to allow Polymorphic Type Handling (aka PTH), formerly known as Polymorphic Deserialization, "deserialization gadgets" may allow an attacker to perform remote code execution.

This rule raises an issue when:

- enableDefaultTyping() is called on an instance of com.fasterxml.jackson.databind.ObjectMapper or org.codehaus.jackson.map.ObjectMapper

- or when the annotation @JsonTypeInfo is set at class or field levels and configured with use = JsonTypeInfo.Id.CLASS) or use = Id.MINIMAL_CLASS

Recommended Secure Coding Practices

Noncompliant Code Example

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping(); // Noncompliant
@JsonTypeInfo(use = Id.CLASS) // Noncompliant
abstract class PhoneNumber {
}

Compliant Solution

- use the latest patch versions of jackson-databind blocking the already discovered "deserialization gadgets"

- avoid using the default typing configuration: ObjectMapper.enableDefaultTyping()

- use @JsonTypeInfo(use = Id.NAME) instead of @JsonTypeInfo(use = Id.CLASS) or @JsonTypeInfo(use = Id. MINIMAL_CLASS) and so rely on @JsonTypeName and @JsonSubTypes

See