Tatu Saloranta | 2235894 | 2017-12-18 21:41:51 -0800 | [diff] [blame] | 1 | package com.fasterxml.jackson.databind.jsontype.impl; |
| 2 | |
| 3 | import java.util.Collections; |
| 4 | import java.util.HashSet; |
| 5 | import java.util.Set; |
| 6 | |
| 7 | import com.fasterxml.jackson.databind.DeserializationContext; |
| 8 | import com.fasterxml.jackson.databind.JavaType; |
| 9 | import com.fasterxml.jackson.databind.JsonMappingException; |
| 10 | |
| 11 | /** |
| 12 | * Helper class used to encapsulate rules that determine subtypes that |
| 13 | * are invalid to use, even with default typing, mostly due to security |
| 14 | * concerns. |
| 15 | * Used by <code>BeanDeserializerFacotry</code> |
| 16 | * |
| 17 | * @since 2.8.11 |
| 18 | */ |
| 19 | public class SubTypeValidator |
| 20 | { |
Tatu Saloranta | 6799f8f | 2018-02-10 19:22:01 -0800 | [diff] [blame] | 21 | protected final static String PREFIX_SPRING = "org.springframework."; |
| 22 | |
| 23 | protected final static String PREFIX_C3P0 = "com.mchange.v2.c3p0."; |
| 24 | |
Tatu Saloranta | 2235894 | 2017-12-18 21:41:51 -0800 | [diff] [blame] | 25 | /** |
| 26 | * Set of well-known "nasty classes", deserialization of which is considered dangerous |
| 27 | * and should (and is) prevented by default. |
| 28 | */ |
| 29 | protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES; |
| 30 | static { |
| 31 | Set<String> s = new HashSet<String>(); |
| 32 | // Courtesy of [https://github.com/kantega/notsoserial]: |
| 33 | // (and wrt [databind#1599]) |
| 34 | s.add("org.apache.commons.collections.functors.InvokerTransformer"); |
| 35 | s.add("org.apache.commons.collections.functors.InstantiateTransformer"); |
| 36 | s.add("org.apache.commons.collections4.functors.InvokerTransformer"); |
| 37 | s.add("org.apache.commons.collections4.functors.InstantiateTransformer"); |
| 38 | s.add("org.codehaus.groovy.runtime.ConvertedClosure"); |
| 39 | s.add("org.codehaus.groovy.runtime.MethodClosure"); |
| 40 | s.add("org.springframework.beans.factory.ObjectFactory"); |
| 41 | s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); |
| 42 | s.add("org.apache.xalan.xsltc.trax.TemplatesImpl"); |
| 43 | // [databind#1680]: may or may not be problem, take no chance |
| 44 | s.add("com.sun.rowset.JdbcRowSetImpl"); |
| 45 | // [databind#1737]; JDK provided |
| 46 | s.add("java.util.logging.FileHandler"); |
| 47 | s.add("java.rmi.server.UnicastRemoteObject"); |
| 48 | // [databind#1737]; 3rd party |
| 49 | //s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855] |
| 50 | s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean"); |
Tatu Saloranta | 6799f8f | 2018-02-10 19:22:01 -0800 | [diff] [blame] | 51 | |
| 52 | // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931] |
| 53 | // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" - |
Tatu Saloranta | 2235894 | 2017-12-18 21:41:51 -0800 | [diff] [blame] | 54 | // [databind#1855]: more 3rd party |
| 55 | s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource"); |
| 56 | s.add("com.sun.org.apache.bcel.internal.util.ClassLoader"); |
Tatu Saloranta | 038b471 | 2018-01-21 21:01:07 -0800 | [diff] [blame] | 57 | // [databind#1899]: more 3rd party |
| 58 | s.add("org.hibernate.jmx.StatisticsService"); |
| 59 | s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory"); |
Tatu Saloranta | 27b4def | 2018-05-10 18:18:32 -0700 | [diff] [blame] | 60 | // [databind#2032]: more 3rd party; data exfiltration via xml parsed ext entities |
| 61 | s.add("org.apache.ibatis.parsing.XPathParser"); |
Tatu Saloranta | 038b471 | 2018-01-21 21:01:07 -0800 | [diff] [blame] | 62 | |
Tatu Saloranta | 28badf7 | 2018-06-07 22:35:42 -0700 | [diff] [blame] | 63 | // [databind#2052]: Jodd-db, with jndi/ldap lookup |
Tatu Saloranta | 7487cf7 | 2018-05-31 22:11:08 -0700 | [diff] [blame] | 64 | s.add("jodd.db.connection.DataSourceConnectionProvider"); |
Tatu Saloranta | 28badf7 | 2018-06-07 22:35:42 -0700 | [diff] [blame] | 65 | |
| 66 | // [databind#2058]: Oracle JDBC driver, with jndi/ldap lookup |
| 67 | s.add("oracle.jdbc.connector.OracleManagedConnectionFactory"); |
Tatu Saloranta | 7487cf7 | 2018-05-31 22:11:08 -0700 | [diff] [blame] | 68 | s.add("oracle.jdbc.rowset.OracleJDBCRowSet"); |
MaximilianTews | 454be8b | 2018-06-26 18:55:57 +0200 | [diff] [blame] | 69 | // [databind#1899]: more 3rd party |
| 70 | s.add("org.hibernate.jmx.StatisticsService"); |
| 71 | s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory"); |
Tatu Saloranta | 28badf7 | 2018-06-07 22:35:42 -0700 | [diff] [blame] | 72 | |
Tatu Saloranta | 0899726 | 2018-08-16 15:45:11 -0700 | [diff] [blame] | 73 | // [databind#2097]: some 3rd party, one JDK-bundled |
| 74 | s.add("org.slf4j.ext.EventData"); |
| 75 | s.add("flex.messaging.util.concurrent.AsynchBeansWorkManagerExecutor"); |
| 76 | s.add("com.sun.deploy.security.ruleset.DRSHelper"); |
| 77 | s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl"); |
Tatu Saloranta | 7487cf7 | 2018-05-31 22:11:08 -0700 | [diff] [blame] | 78 | |
Tatu Saloranta | 72cd402 | 2018-11-19 20:02:58 -0800 | [diff] [blame] | 79 | // [databind#2186]: yet more 3rd party gadgets |
| 80 | s.add("org.jboss.util.propertyeditor.DocumentEditor"); |
| 81 | s.add("org.apache.openjpa.ee.RegistryManagedRuntime"); |
| 82 | s.add("org.apache.openjpa.ee.JNDIManagedRuntime"); |
| 83 | s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo"); |
| 84 | |
Tatu Saloranta | 232e518 | 2019-05-28 13:38:38 -0700 | [diff] [blame^] | 85 | // [databind#2326] (2.8.11.4: one more 3rd party gadget |
Tatu Saloranta | efc3c0d | 2019-05-14 07:46:38 -0700 | [diff] [blame] | 86 | s.add("com.mysql.cj.jdbc.admin.MiniAdmin"); |
| 87 | |
Tatu Saloranta | 2235894 | 2017-12-18 21:41:51 -0800 | [diff] [blame] | 88 | DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); |
| 89 | } |
| 90 | |
| 91 | /** |
| 92 | * Set of class names of types that are never to be deserialized. |
| 93 | */ |
| 94 | protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES; |
| 95 | |
| 96 | private final static SubTypeValidator instance = new SubTypeValidator(); |
| 97 | |
| 98 | protected SubTypeValidator() { } |
| 99 | |
| 100 | public static SubTypeValidator instance() { return instance; } |
| 101 | |
Tatu Saloranta | efc3c0d | 2019-05-14 07:46:38 -0700 | [diff] [blame] | 102 | public void validateSubType(DeserializationContext ctxt, JavaType type) |
| 103 | throws JsonMappingException |
Tatu Saloranta | 2235894 | 2017-12-18 21:41:51 -0800 | [diff] [blame] | 104 | { |
| 105 | // There are certain nasty classes that could cause problems, mostly |
| 106 | // via default typing -- catch them here. |
| 107 | final Class<?> raw = type.getRawClass(); |
| 108 | String full = raw.getName(); |
| 109 | |
Tatu Saloranta | bb45fb1 | 2017-12-19 08:31:15 -0800 | [diff] [blame] | 110 | main_check: |
Tatu Saloranta | 2235894 | 2017-12-18 21:41:51 -0800 | [diff] [blame] | 111 | do { |
| 112 | if (_cfgIllegalClassNames.contains(full)) { |
| 113 | break; |
| 114 | } |
| 115 | |
| 116 | // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling |
| 117 | // for some Spring framework types |
Tatu Saloranta | 755e3bc | 2018-01-05 12:45:14 -0800 | [diff] [blame] | 118 | // 05-Jan-2017, tatu: ... also, only applies to classes, not interfaces |
Tatu Saloranta | 6799f8f | 2018-02-10 19:22:01 -0800 | [diff] [blame] | 119 | if (raw.isInterface()) { |
| 120 | ; |
| 121 | } else if (full.startsWith(PREFIX_SPRING)) { |
Casasola Marcos | c803a26 | 2018-02-02 15:01:04 -0300 | [diff] [blame] | 122 | for (Class<?> cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()){ |
Tatu Saloranta | 2235894 | 2017-12-18 21:41:51 -0800 | [diff] [blame] | 123 | String name = cls.getSimpleName(); |
| 124 | // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there? |
| 125 | if ("AbstractPointcutAdvisor".equals(name) |
| 126 | // ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts |
Tatu Saloranta | bb45fb1 | 2017-12-19 08:31:15 -0800 | [diff] [blame] | 127 | || "AbstractApplicationContext".equals(name)) { |
| 128 | break main_check; |
Tatu Saloranta | 2235894 | 2017-12-18 21:41:51 -0800 | [diff] [blame] | 129 | } |
| 130 | } |
Tatu Saloranta | 6799f8f | 2018-02-10 19:22:01 -0800 | [diff] [blame] | 131 | } else if (full.startsWith(PREFIX_C3P0)) { |
| 132 | // [databind#1737]; more 3rd party |
| 133 | // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); |
| 134 | // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); |
| 135 | // [databind#1931]; more 3rd party |
| 136 | // com.mchange.v2.c3p0.ComboPooledDataSource |
| 137 | // com.mchange.v2.c3p0.debug.AfterCloseLoggingComboPooledDataSource |
| 138 | if (full.endsWith("DataSource")) { |
| 139 | break main_check; |
| 140 | } |
Tatu Saloranta | 2235894 | 2017-12-18 21:41:51 -0800 | [diff] [blame] | 141 | } |
| 142 | return; |
| 143 | } while (false); |
| 144 | |
| 145 | throw JsonMappingException.from(ctxt, |
| 146 | String.format("Illegal type (%s) to deserialize: prevented for security reasons", full)); |
| 147 | } |
| 148 | } |