rspec/rules/S4544/java/rule.adoc

Using unsafe Jackson deserialization configuration is security-sensitive.  It has led in the past to the following vulnerabilities:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4995[CVE-2017-4995]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362[CVE-2018-19362]

When Jackson is configured to allow Polymorphic Type Handling (aka PTH), formerly known as Polymorphic Deserialization, "deserialization gadgets" may allow an attacker to perform remote code execution. 


This rule raises an issue when:

* ``++enableDefaultTyping()++`` is called on an instance of ``++com.fasterxml.jackson.databind.ObjectMapper++`` or ``++org.codehaus.jackson.map.ObjectMapper++``.
* or when the annotation ``++@JsonTypeInfo++`` is set at class, interface or field levels and configured with ``++use = JsonTypeInfo.Id.CLASS++`` or ``++use = Id.MINIMAL_CLASS++``.


== Ask Yourself Whether

* You configured the Jackson deserializer as mentioned above.
* The serialized data might come from an untrusted source.

There is a risk if you answered yes to any of those questions.


== Recommended Secure Coding Practices

* Use the latest patch versions of ``++jackson-databind++`` blocking the already discovered "deserialization gadgets".
* Avoid using the default typing configuration: ``++ObjectMapper.enableDefaultTyping()++``.
* If possible, use ``++@JsonTypeInfo(use = Id.NAME)++`` instead of ``++@JsonTypeInfo(use = Id.CLASS)++`` or ``++@JsonTypeInfo(use = Id. MINIMAL_CLASS)++`` and so rely on ``++@JsonTypeName++`` and ``++@JsonSubTypes++``.


== Sensitive Code Example

----
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping(); // Sensitive
----

----
@JsonTypeInfo(use = Id.CLASS) // Sensitive
abstract class PhoneNumber {
}
----


== See

* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures
* https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[OWASP Top 10 2017 Category A8] - Insecure Deserialization
* OWASP - https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data[Deserialization of untrusted data]
* https://cwe.mitre.org/data/definitions/502[MITRE, CWE-502] - Deserialization of Untrusted Data
* https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062[On Jackson CVEs: Don’t Panic]
* https://nvd.nist.gov/vuln/detail/CVE-2017-15095[CVE-2017-1509]
* https://nvd.nist.gov/vuln/detail/CVE-2017-7525[CVE-2017-7525]
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#JACKSON_UNSAFE_DESERIALIZATION[JACKSON_UNSAFE_DESERIALIZATION]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::message.adoc[]

include::highlighting.adoc[]

'''
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
-												Restructure one-lang rspecs

											
										
										
											2021-04-28 16:49:39 +02:00
+								Using unsafe Jackson deserialization configuration is security-sensitive.  It has led in the past to the following vulnerabilities:
 								* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4995[CVE-2017-4995]
 								* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362[CVE-2018-19362]
 								When Jackson is configured to allow Polymorphic Type Handling (aka PTH), formerly known as Polymorphic Deserialization, "deserialization gadgets" may allow an attacker to perform remote code execution.
 								This rule raises an issue when:
 								* ``++enableDefaultTyping()++`` is called on an instance of ``++com.fasterxml.jackson.databind.ObjectMapper++`` or ``++org.codehaus.jackson.map.ObjectMapper++``.
-												SONARJAVA-4055 Modify rule S4544 [java] Document new interface support (#682)


											
										
										
											2022-01-13 14:37:20 +01:00
+								* or when the annotation ``++@JsonTypeInfo++`` is set at class, interface or field levels and configured with ``++use = JsonTypeInfo.Id.CLASS++`` or ``++use = Id.MINIMAL_CLASS++``.
-												Restructure one-lang rspecs

											
										
										
											2021-04-28 16:49:39 +02:00
-												Fix the missing default metadata fields

											
										
										
											2021-04-28 18:08:03 +02:00
-												Restructure one-lang rspecs

											
										
										
											2021-04-28 16:49:39 +02:00
+								== Ask Yourself Whether
 								* You configured the Jackson deserializer as mentioned above.
 								* The serialized data might come from an untrusted source.
 								There is a risk if you answered yes to any of those questions.
-												Fix the missing default metadata fields

											
										
										
											2021-04-28 18:08:03 +02:00
-												Restructure one-lang rspecs

											
										
										
											2021-04-28 16:49:39 +02:00
+								== Recommended Secure Coding Practices
 								* Use the latest patch versions of ``++jackson-databind++`` blocking the already discovered "deserialization gadgets".
 								* Avoid using the default typing configuration: ``++ObjectMapper.enableDefaultTyping()++``.
 								* If possible, use ``++@JsonTypeInfo(use = Id.NAME)++`` instead of ``++@JsonTypeInfo(use = Id.CLASS)++`` or ``++@JsonTypeInfo(use = Id. MINIMAL_CLASS)++`` and so rely on ``++@JsonTypeName++`` and ``++@JsonSubTypes++``.
-												Fix the missing default metadata fields

											
										
										
											2021-04-28 18:08:03 +02:00
-												Restructure one-lang rspecs

											
										
										
											2021-04-28 16:49:39 +02:00
+								== Sensitive Code Example
 								----
 								ObjectMapper mapper = new ObjectMapper();
 								mapper.enableDefaultTyping(); // Sensitive
 								----
 								----
 								@JsonTypeInfo(use = Id.CLASS) // Sensitive
 								abstract class PhoneNumber {
 								}
 								----
-												Fix the missing default metadata fields

											
										
										
											2021-04-28 18:08:03 +02:00
-												Restructure one-lang rspecs

											
										
										
											2021-04-28 16:49:39 +02:00
+								== See
-												RULEAPI-709: Security rules are mapped to the OWASP Top 10 2021 security-standard (#545)


											
										
										
											2021-11-01 15:00:32 +01:00
+								* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures
-												Modify: Fix old/broken embedded links (#1100)


											
										
										
											2022-07-08 13:58:56 +02:00
+								* https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[OWASP Top 10 2017 Category A8] - Insecure Deserialization
 								* OWASP - https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data[Deserialization of untrusted data]
-												RULEAPI-755 Update CWE URLs by removing .html suffix and update with https protocol (#926)

* Change affects only see.adoc and rule.adoc files, not comments-and-links.adoc files
											
										
										
											2022-04-07 08:53:59 -05:00
+								* https://cwe.mitre.org/data/definitions/502[MITRE, CWE-502] - Deserialization of Untrusted Data
-												Restructure one-lang rspecs

											
										
										
											2021-04-28 16:49:39 +02:00
+								* https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062[On Jackson CVEs: Don’t Panic]
 								* https://nvd.nist.gov/vuln/detail/CVE-2017-15095[CVE-2017-1509]
 								* https://nvd.nist.gov/vuln/detail/CVE-2017-7525[CVE-2017-7525]
 								* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#JACKSON_UNSAFE_DESERIALIZATION[JACKSON_UNSAFE_DESERIALIZATION]
-												Fix the missing default metadata fields

											
										
										
											2021-04-28 18:08:03 +02:00
-												Export comments and rspec-to-rspec links from jira

											
										
										
											2021-06-02 20:44:38 +02:00
-												Fix the comment display: rule-id, timestamp, GH visibility, link direction

											
										
										
											2021-06-03 09:05:38 +02:00
+								ifdef::env-github,rspecator-view[]
-												RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346)


											
										
										
											2021-09-20 15:38:42 +02:00
 								'''
 								== Implementation Specification
 								(visible only on this page)
 								include::message.adoc[]
 								include::highlighting.adoc[]
-												RULEAPI-576: add a horizontal rule between rule description and comments


											
										
										
											2021-06-08 15:52:13 +02:00
+								'''
-												Export comments and rspec-to-rspec links from jira

											
										
										
											2021-06-02 20:44:38 +02:00
+								== Comments And Links
 								(visible only on this page)
 								include::comments-and-links.adoc[]
-												Fix the comment display: rule-id, timestamp, GH visibility, link direction

											
										
										
											2021-06-03 09:05:38 +02:00
+								endif::env-github,rspecator-view[]