Preliminary blocks for #2052: not actually sure if there is vuln via gadgets, but they seem suspicious enough to block tentatively

commit: 7487cf7eb14be2f65a1eb108e8629c07ef45e0a1 [log] [tgz]
author: Tatu Saloranta <tatu.saloranta@iki.fi> Thu May 31 22:11:08 2018 -0700
committer: Tatu Saloranta <tatu.saloranta@iki.fi> Thu May 31 22:11:08 2018 -0700
tree: 67d6705f62d1b24ad6ff06f35e7ba05513187456
parent: 051bd5e447fbc9539e12a4fe90eb989dba0c656e [diff]
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index ec530a5..684ce94 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

@@ -60,6 +60,12 @@
         // [databind#2032]: more 3rd party; data exfiltration via xml parsed ext entities
         s.add("org.apache.ibatis.parsing.XPathParser");
 
+        // [databind#2052]: ldap approaches; in all cases LDAP connection String is passed
+        //   and access attempt is made:
+        s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
+        s.add("jodd.db.connection.DataSourceConnectionProvider");
+        s.add("oracle.jdbc.rowset.OracleJDBCRowSet");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
commit	7487cf7eb14be2f65a1eb108e8629c07ef45e0a1	[log] [tgz]
author	Tatu Saloranta <tatu.saloranta@iki.fi>	Thu May 31 22:11:08 2018 -0700
committer	Tatu Saloranta <tatu.saloranta@iki.fi>	Thu May 31 22:11:08 2018 -0700
tree	67d6705f62d1b24ad6ff06f35e7ba05513187456
parent	051bd5e447fbc9539e12a4fe90eb989dba0c656e [diff]