-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
f031f27
commit 2235894
Showing
2 changed files
with
103 additions
and
49 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
98 changes: 98 additions & 0 deletions
98
src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
package com.fasterxml.jackson.databind.jsontype.impl; | ||
|
||
import java.util.Collections; | ||
import java.util.HashSet; | ||
import java.util.Set; | ||
|
||
import com.fasterxml.jackson.databind.DeserializationContext; | ||
import com.fasterxml.jackson.databind.JavaType; | ||
import com.fasterxml.jackson.databind.JsonMappingException; | ||
|
||
/** | ||
* Helper class used to encapsulate rules that determine subtypes that | ||
* are invalid to use, even with default typing, mostly due to security | ||
* concerns. | ||
* Used by <code>BeanDeserializerFacotry</code> | ||
* | ||
* @since 2.8.11 | ||
*/ | ||
public class SubTypeValidator | ||
{ | ||
protected final static String PREFIX_STRING = "org.springframework."; | ||
/** | ||
* Set of well-known "nasty classes", deserialization of which is considered dangerous | ||
* and should (and is) prevented by default. | ||
*/ | ||
protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES; | ||
static { | ||
Set<String> s = new HashSet<String>(); | ||
// Courtesy of [https://github.com/kantega/notsoserial]: | ||
// (and wrt [databind#1599]) | ||
s.add("org.apache.commons.collections.functors.InvokerTransformer"); | ||
s.add("org.apache.commons.collections.functors.InstantiateTransformer"); | ||
s.add("org.apache.commons.collections4.functors.InvokerTransformer"); | ||
s.add("org.apache.commons.collections4.functors.InstantiateTransformer"); | ||
s.add("org.codehaus.groovy.runtime.ConvertedClosure"); | ||
s.add("org.codehaus.groovy.runtime.MethodClosure"); | ||
s.add("org.springframework.beans.factory.ObjectFactory"); | ||
s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); | ||
s.add("org.apache.xalan.xsltc.trax.TemplatesImpl"); | ||
// [databind#1680]: may or may not be problem, take no chance | ||
s.add("com.sun.rowset.JdbcRowSetImpl"); | ||
// [databind#1737]; JDK provided | ||
s.add("java.util.logging.FileHandler"); | ||
s.add("java.rmi.server.UnicastRemoteObject"); | ||
// [databind#1737]; 3rd party | ||
//s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855] | ||
s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean"); | ||
s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); | ||
s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); | ||
// [databind#1855]: more 3rd party | ||
s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource"); | ||
s.add("com.sun.org.apache.bcel.internal.util.ClassLoader"); | ||
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); | ||
} | ||
|
||
/** | ||
* Set of class names of types that are never to be deserialized. | ||
*/ | ||
protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES; | ||
|
||
private final static SubTypeValidator instance = new SubTypeValidator(); | ||
|
||
protected SubTypeValidator() { } | ||
|
||
public static SubTypeValidator instance() { return instance; } | ||
|
||
public void validateSubType(DeserializationContext ctxt, JavaType type) throws JsonMappingException | ||
{ | ||
// There are certain nasty classes that could cause problems, mostly | ||
// via default typing -- catch them here. | ||
final Class<?> raw = type.getRawClass(); | ||
String full = raw.getName(); | ||
|
||
do { | ||
if (_cfgIllegalClassNames.contains(full)) { | ||
break; | ||
} | ||
|
||
// 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling | ||
// for some Spring framework types | ||
if (full.startsWith(PREFIX_STRING)) { | ||
for (Class<?> cls = raw; cls != Object.class; cls = cls.getSuperclass()) { | ||
String name = cls.getSimpleName(); | ||
// looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there? | ||
if ("AbstractPointcutAdvisor".equals(name) | ||
// ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts | ||
|| "AbstractApplicationContext.equals".equals(name)) { | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
cowtowncoder
Author
Member
|
||
break; | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
cowtowncoder
Author
Member
|
||
} | ||
} | ||
} | ||
return; | ||
} while (false); | ||
|
||
throw JsonMappingException.from(ctxt, | ||
String.format("Illegal type (%s) to deserialize: prevented for security reasons", full)); | ||
} | ||
} |
Are you sure this is not a typo?