Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / jackson-databind / 232e518944d0e1875a866d719a4286e232427865 / . / src / main / java / com / fasterxml / jackson / databind / jsontype / impl / SubTypeValidator.java
blob: 04db3ad7bf3cb279c5be1e06f06aff32cd5f7b84 [file] [log] [blame]
Tatu Saloranta22358942017-12-18 21:41:51 -0800[diff] [blame]1package com.fasterxml.jackson.databind.jsontype.impl;
2
3import java.util.Collections;
4import java.util.HashSet;
5import java.util.Set;
6
7import com.fasterxml.jackson.databind.DeserializationContext;
8import com.fasterxml.jackson.databind.JavaType;
9import com.fasterxml.jackson.databind.JsonMappingException;
10
11/**
12 * Helper class used to encapsulate rules that determine subtypes that
13 * are invalid to use, even with default typing, mostly due to security
14 * concerns.
15 * Used by <code>BeanDeserializerFacotry</code>
16 *
17 * @since 2.8.11
18 */
19public class SubTypeValidator
20{
Tatu Saloranta6799f8f2018-02-10 19:22:01 -0800[diff] [blame]21 protected final static String PREFIX_SPRING = "org.springframework.";
22
23 protected final static String PREFIX_C3P0 = "com.mchange.v2.c3p0.";
24
Tatu Saloranta22358942017-12-18 21:41:51 -0800[diff] [blame]25 /**
26 * Set of well-known "nasty classes", deserialization of which is considered dangerous
27 * and should (and is) prevented by default.
28 */
29 protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
30 static {
31 Set<String> s = new HashSet<String>();
32 // Courtesy of [https://github.com/kantega/notsoserial]:
33 // (and wrt [databind#1599])
34 s.add("org.apache.commons.collections.functors.InvokerTransformer");
35 s.add("org.apache.commons.collections.functors.InstantiateTransformer");
36 s.add("org.apache.commons.collections4.functors.InvokerTransformer");
37 s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
38 s.add("org.codehaus.groovy.runtime.ConvertedClosure");
39 s.add("org.codehaus.groovy.runtime.MethodClosure");
40 s.add("org.springframework.beans.factory.ObjectFactory");
41 s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
42 s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
43 // [databind#1680]: may or may not be problem, take no chance
44 s.add("com.sun.rowset.JdbcRowSetImpl");
45 // [databind#1737]; JDK provided
46 s.add("java.util.logging.FileHandler");
47 s.add("java.rmi.server.UnicastRemoteObject");
48 // [databind#1737]; 3rd party
49//s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
50 s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
Tatu Saloranta6799f8f2018-02-10 19:22:01 -0800[diff] [blame]51
52// s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
53// s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
Tatu Saloranta22358942017-12-18 21:41:51 -0800[diff] [blame]54 // [databind#1855]: more 3rd party
55 s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
56 s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
Tatu Saloranta038b4712018-01-21 21:01:07 -0800[diff] [blame]57 // [databind#1899]: more 3rd party
58 s.add("org.hibernate.jmx.StatisticsService");
59 s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
Tatu Saloranta27b4def2018-05-10 18:18:32 -0700[diff] [blame]60 // [databind#2032]: more 3rd party; data exfiltration via xml parsed ext entities
61 s.add("org.apache.ibatis.parsing.XPathParser");
Tatu Saloranta038b4712018-01-21 21:01:07 -0800[diff] [blame]62
Tatu Saloranta28badf72018-06-07 22:35:42 -0700[diff] [blame]63 // [databind#2052]: Jodd-db, with jndi/ldap lookup
Tatu Saloranta7487cf72018-05-31 22:11:08 -0700[diff] [blame]64 s.add("jodd.db.connection.DataSourceConnectionProvider");
Tatu Saloranta28badf72018-06-07 22:35:42 -0700[diff] [blame]65
66 // [databind#2058]: Oracle JDBC driver, with jndi/ldap lookup
67 s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
Tatu Saloranta7487cf72018-05-31 22:11:08 -0700[diff] [blame]68 s.add("oracle.jdbc.rowset.OracleJDBCRowSet");
MaximilianTews454be8b2018-06-26 18:55:57 +0200[diff] [blame]69 // [databind#1899]: more 3rd party
70 s.add("org.hibernate.jmx.StatisticsService");
71 s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
Tatu Saloranta28badf72018-06-07 22:35:42 -0700[diff] [blame]72
Tatu Saloranta08997262018-08-16 15:45:11 -0700[diff] [blame]73 // [databind#2097]: some 3rd party, one JDK-bundled
74 s.add("org.slf4j.ext.EventData");
75 s.add("flex.messaging.util.concurrent.AsynchBeansWorkManagerExecutor");
76 s.add("com.sun.deploy.security.ruleset.DRSHelper");
77 s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl");
Tatu Saloranta7487cf72018-05-31 22:11:08 -0700[diff] [blame]78
Tatu Saloranta72cd4022018-11-19 20:02:58 -0800[diff] [blame]79 // [databind#2186]: yet more 3rd party gadgets
80 s.add("org.jboss.util.propertyeditor.DocumentEditor");
81 s.add("org.apache.openjpa.ee.RegistryManagedRuntime");
82 s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
83 s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
84
Tatu Saloranta232e5182019-05-28 13:38:38 -0700[diff] [blame^]85 // [databind#2326] (2.8.11.4: one more 3rd party gadget
Tatu Salorantaefc3c0d2019-05-14 07:46:38 -0700[diff] [blame]86 s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
87
Tatu Saloranta22358942017-12-18 21:41:51 -0800[diff] [blame]88 DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
89 }
90
91 /**
92 * Set of class names of types that are never to be deserialized.
93 */
94 protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES;
95
96 private final static SubTypeValidator instance = new SubTypeValidator();
97
98 protected SubTypeValidator() { }
99
100 public static SubTypeValidator instance() { return instance; }
101
Tatu Salorantaefc3c0d2019-05-14 07:46:38 -0700[diff] [blame]102 public void validateSubType(DeserializationContext ctxt, JavaType type)
103 throws JsonMappingException
Tatu Saloranta22358942017-12-18 21:41:51 -0800[diff] [blame]104 {
105 // There are certain nasty classes that could cause problems, mostly
106 // via default typing -- catch them here.
107 final Class<?> raw = type.getRawClass();
108 String full = raw.getName();
109
Tatu Salorantabb45fb12017-12-19 08:31:15 -0800[diff] [blame]110 main_check:
Tatu Saloranta22358942017-12-18 21:41:51 -0800[diff] [blame]111 do {
112 if (_cfgIllegalClassNames.contains(full)) {
113 break;
114 }
115
116 // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling
117 // for some Spring framework types
Tatu Saloranta755e3bc2018-01-05 12:45:14 -0800[diff] [blame]118 // 05-Jan-2017, tatu: ... also, only applies to classes, not interfaces
Tatu Saloranta6799f8f2018-02-10 19:22:01 -0800[diff] [blame]119 if (raw.isInterface()) {
120 ;
121 } else if (full.startsWith(PREFIX_SPRING)) {
Casasola Marcosc803a262018-02-02 15:01:04 -0300[diff] [blame]122 for (Class<?> cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()){
Tatu Saloranta22358942017-12-18 21:41:51 -0800[diff] [blame]123 String name = cls.getSimpleName();
124 // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
125 if ("AbstractPointcutAdvisor".equals(name)
126 // ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts
Tatu Salorantabb45fb12017-12-19 08:31:15 -0800[diff] [blame]127 || "AbstractApplicationContext".equals(name)) {
128 break main_check;
Tatu Saloranta22358942017-12-18 21:41:51 -0800[diff] [blame]129 }
130 }
Tatu Saloranta6799f8f2018-02-10 19:22:01 -0800[diff] [blame]131 } else if (full.startsWith(PREFIX_C3P0)) {
132 // [databind#1737]; more 3rd party
133 // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
134 // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
135 // [databind#1931]; more 3rd party
136 // com.mchange.v2.c3p0.ComboPooledDataSource
137 // com.mchange.v2.c3p0.debug.AfterCloseLoggingComboPooledDataSource
138 if (full.endsWith("DataSource")) {
139 break main_check;
140 }
Tatu Saloranta22358942017-12-18 21:41:51 -0800[diff] [blame]141 }
142 return;
143 } while (false);
144
145 throw JsonMappingException.from(ctxt,
146 String.format("Illegal type (%s) to deserialize: prevented for security reasons", full));
147 }
148}