ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4544/java/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

84 lines
3.2 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Using unsafe Jackson deserialization configuration is security-sensitive. It has led in the past to the following vulnerabilities:
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4995[CVE-2017-4995]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362[CVE-2018-19362]
When Jackson is configured to allow Polymorphic Type Handling (aka PTH), formerly known as Polymorphic Deserialization, "deserialization gadgets" may allow an attacker to perform remote code execution.
This rule raises an issue when:
* ``++enableDefaultTyping()++`` is called on an instance of ``++com.fasterxml.jackson.databind.ObjectMapper++`` or ``++org.codehaus.jackson.map.ObjectMapper++``.
* or when the annotation ``++@JsonTypeInfo++`` is set at class, interface or field levels and configured with ``++use = JsonTypeInfo.Id.CLASS++`` or ``++use = Id.MINIMAL_CLASS++``.
== Ask Yourself Whether
* You configured the Jackson deserializer as mentioned above.
* The serialized data might come from an untrusted source.
There is a risk if you answered yes to any of those questions.
== Recommended Secure Coding Practices
* Use the latest patch versions of ``++jackson-databind++`` blocking the already discovered "deserialization gadgets".
* Avoid using the default typing configuration: ``++ObjectMapper.enableDefaultTyping()++``.
* If possible, use ``++@JsonTypeInfo(use = Id.NAME)++`` instead of ``++@JsonTypeInfo(use = Id.CLASS)++`` or ``++@JsonTypeInfo(use = Id. MINIMAL_CLASS)++`` and so rely on ``++@JsonTypeName++`` and ``++@JsonSubTypes++``.
== Sensitive Code Example
----
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping(); // Sensitive
----
----
@JsonTypeInfo(use = Id.CLASS) // Sensitive
abstract class PhoneNumber {
}
----
== See
* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures
* https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[OWASP Top 10 2017 Category A8] - Insecure Deserialization
* OWASP - https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data[Deserialization of untrusted data]
* https://cwe.mitre.org/data/definitions/502[MITRE, CWE-502] - Deserialization of Untrusted Data
* https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062[On Jackson CVEs: Dont Panic]
* https://nvd.nist.gov/vuln/detail/CVE-2017-15095[CVE-2017-1509]
* https://nvd.nist.gov/vuln/detail/CVE-2017-7525[CVE-2017-7525]
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#JACKSON_UNSAFE_DESERIALIZATION[JACKSON_UNSAFE_DESERIALIZATION]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Make sure using this Jackson deserialization configuration is safe here.
=== Highlighting
* call to ``++enableDefaultTyping()++``
* @JsonTypeInfo + JsonTypeInfo.Id.CLASS or JsonTypeInfo.Id.MINIMAL_CLASS
'''
== Comments And Links
(visible only on this page)
=== on 27 Mar 2018, 11:29:52 Alexandre Gigleux wrote:
This is a "Security Finding".
=== on 27 Mar 2018, 14:02:55 Alexandre Gigleux wrote:
JsonTypeInfo = com.fasterxml.jackson.annotation.JsonTypeInfo
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink