Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

configure default PolymorphicTypeValidator in jackson 11 #281

Closed
codingchili opened this issue Dec 16, 2021 · 1 comment
Closed

configure default PolymorphicTypeValidator in jackson 11 #281

codingchili opened this issue Dec 16, 2021 · 1 comment
Labels
security

Comments

@codingchili
Copy link
Owner

This is an extra security precaution to block deserialization of classes that specify weakly typed or known vulnerable types.

This will guard against cases where the @JsonTypeInfo annotation is used with JsonTypeInfo.Id.CLASS or when polymorphic types are enabled by an user on the default mapper, used by vert.x, internally and through the Serializer utility. (polymorphic deserialization is disabled by default and not recommended to be enabled.)

Use of Object.class is still allowed without the annotation and without enabling polymorphic types, in this case jackson chooses the implementation class (map, list or basic type) - this is not a security vulnerability and this behavior has not been changed.

See FasterXML/jackson-databind#2587 for list of classes that are blocked.
@codingchili
Copy link
Owner Author

Fixed in 4a4ddb0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@codingchili