ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4544/java/rule.adoc
pedro-oliveira-sonarsource 082b3ef269
Modify: Fix old/broken embedded links (#1100)
2022-07-08 13:58:56 +02:00

72 lines
2.9 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Using unsafe Jackson deserialization configuration is security-sensitive. It has led in the past to the following vulnerabilities:
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4995[CVE-2017-4995]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362[CVE-2018-19362]
When Jackson is configured to allow Polymorphic Type Handling (aka PTH), formerly known as Polymorphic Deserialization, "deserialization gadgets" may allow an attacker to perform remote code execution.
This rule raises an issue when:
* ``++enableDefaultTyping()++`` is called on an instance of ``++com.fasterxml.jackson.databind.ObjectMapper++`` or ``++org.codehaus.jackson.map.ObjectMapper++``.
* or when the annotation ``++@JsonTypeInfo++`` is set at class, interface or field levels and configured with ``++use = JsonTypeInfo.Id.CLASS++`` or ``++use = Id.MINIMAL_CLASS++``.
== Ask Yourself Whether
* You configured the Jackson deserializer as mentioned above.
* The serialized data might come from an untrusted source.
There is a risk if you answered yes to any of those questions.
== Recommended Secure Coding Practices
* Use the latest patch versions of ``++jackson-databind++`` blocking the already discovered "deserialization gadgets".
* Avoid using the default typing configuration: ``++ObjectMapper.enableDefaultTyping()++``.
* If possible, use ``++@JsonTypeInfo(use = Id.NAME)++`` instead of ``++@JsonTypeInfo(use = Id.CLASS)++`` or ``++@JsonTypeInfo(use = Id. MINIMAL_CLASS)++`` and so rely on ``++@JsonTypeName++`` and ``++@JsonSubTypes++``.
== Sensitive Code Example
----
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping(); // Sensitive
----
----
@JsonTypeInfo(use = Id.CLASS) // Sensitive
abstract class PhoneNumber {
}
----
== See
* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures
* https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[OWASP Top 10 2017 Category A8] - Insecure Deserialization
* OWASP - https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data[Deserialization of untrusted data]
* https://cwe.mitre.org/data/definitions/502[MITRE, CWE-502] - Deserialization of Untrusted Data
* https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062[On Jackson CVEs: Dont Panic]
* https://nvd.nist.gov/vuln/detail/CVE-2017-15095[CVE-2017-1509]
* https://nvd.nist.gov/vuln/detail/CVE-2017-7525[CVE-2017-7525]
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#JACKSON_UNSAFE_DESERIALIZATION[JACKSON_UNSAFE_DESERIALIZATION]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::message.adoc[]
include::highlighting.adoc[]
'''
== Comments And Links
(visible only on this page)
include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink