1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
|
package com.fasterxml.jackson.databind.jsontype.impl;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import com.fasterxml.jackson.databind.BeanDescription;
import com.fasterxml.jackson.databind.DeserializationContext;
import com.fasterxml.jackson.databind.JavaType;
import com.fasterxml.jackson.databind.JsonMappingException;
/**
* Helper class used to encapsulate rules that determine subtypes that
* are invalid to use, even with default typing, mostly due to security
* concerns.
* Used by <code>BeanDeserializerFactory</code>
*
* @since 2.8.11
*/
public class SubTypeValidator
{
protected final static String PREFIX_SPRING = "org.springframework.";
protected final static String PREFIX_C3P0 = "com.mchange.v2.c3p0.";
/**
* Set of well-known "nasty classes", deserialization of which is considered dangerous
* and should (and is) prevented by default.
*/
protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
static {
Set<String> s = new HashSet<String>();
// Courtesy of [https://github.com/kantega/notsoserial]:
// (and wrt [databind#1599])
s.add("org.apache.commons.collections.functors.InvokerTransformer");
s.add("org.apache.commons.collections.functors.InstantiateTransformer");
s.add("org.apache.commons.collections4.functors.InvokerTransformer");
s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
s.add("org.codehaus.groovy.runtime.ConvertedClosure");
s.add("org.codehaus.groovy.runtime.MethodClosure");
s.add("org.springframework.beans.factory.ObjectFactory");
s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
// [databind#1680]: may or may not be problem, take no chance
s.add("com.sun.rowset.JdbcRowSetImpl");
// [databind#1737]; JDK provided
s.add("java.util.logging.FileHandler");
s.add("java.rmi.server.UnicastRemoteObject");
// [databind#1737]; 3rd party
//s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
// [databind#2680]
s.add("org.springframework.aop.config.MethodLocatingFactoryBean");
s.add("org.springframework.beans.factory.config.BeanReferenceFactoryBean");
// s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
// s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
// [databind#1855]: more 3rd party
s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
// [databind#1899]: more 3rd party
s.add("org.hibernate.jmx.StatisticsService");
s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
// [databind#2032]: more 3rd party; data exfiltration via xml parsed ext entities
s.add("org.apache.ibatis.parsing.XPathParser");
// [databind#2052]: Jodd-db, with jndi/ldap lookup
s.add("jodd.db.connection.DataSourceConnectionProvider");
// [databind#2058]: Oracle JDBC driver, with jndi/ldap lookup
s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
s.add("oracle.jdbc.rowset.OracleJDBCRowSet");
// [databind#2097]: some 3rd party, one JDK-bundled
s.add("org.slf4j.ext.EventData");
s.add("flex.messaging.util.concurrent.AsynchBeansWorkManagerExecutor");
s.add("com.sun.deploy.security.ruleset.DRSHelper");
s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl");
// [databind#2186], [databind#2670]: yet more 3rd party gadgets
s.add("org.jboss.util.propertyeditor.DocumentEditor");
s.add("org.apache.openjpa.ee.RegistryManagedRuntime");
s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
s.add("org.apache.openjpa.ee.WASRegistryManagedRuntime"); // [#2670] addition
s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
// [databind#2326] (2.9.9)
s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
// [databind#2334]: logback-core (2.9.9.1)
s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
// [databind#2341]: jdom/jdom2 (2.9.9.1)
s.add("org.jdom.transform.XSLTransformer");
s.add("org.jdom2.transform.XSLTransformer");
// [databind#2387], [databind#2460]: EHCache
s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");
s.add("net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup");
// [databind#2389]: logback/jndi
s.add("ch.qos.logback.core.db.JNDIConnectionSource");
// [databind#2410]: HikariCP/metricRegistry config
s.add("com.zaxxer.hikari.HikariConfig");
// [databind#2449]: and sub-class thereof
s.add("com.zaxxer.hikari.HikariDataSource");
// [databind#2420]: CXF/JAX-RS provider/XSLT
s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
// [databind#2462]: commons-configuration / -2
s.add("org.apache.commons.configuration.JNDIConfiguration");
s.add("org.apache.commons.configuration2.JNDIConfiguration");
// [databind#2469]: xalan
s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
// [databind#2704]: xalan2
s.add("com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool");
// [databind#2478]: comons-dbcp, p6spy
s.add("org.apache.commons.dbcp.datasources.PerUserPoolDataSource");
s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
s.add("com.p6spy.engine.spy.P6DataSource");
// [databind#2498]: log4j-extras (1.2)
s.add("org.apache.log4j.receivers.db.DriverManagerConnectionSource");
s.add("org.apache.log4j.receivers.db.JNDIConnectionSource");
// [databind#2526]: some more ehcache
s.add("net.sf.ehcache.transaction.manager.selector.GenericJndiSelector");
s.add("net.sf.ehcache.transaction.manager.selector.GlassfishSelector");
// [databind#2620]: xbean-reflect
s.add("org.apache.xbean.propertyeditor.JndiConverter");
// [databind#2631]: shaded hikari-config
s.add("org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig");
// [databind#2634]: ibatis-sqlmap, anteros-core
s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig");
s.add("br.com.anteros.dbcp.AnterosDBCPConfig");
// [databind#2642]: javax.swing (jdk)
s.add("javax.swing.JEditorPane");
// [databind#2648], [databind#2653]: shire-core
s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
s.add("org.apache.shiro.jndi.JndiObjectFactory");
// [databind#2658]: ignite-jta (, quartz-core)
s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup");
s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory");
s.add("org.quartz.utils.JNDIConnectionProvider");
// [databind#2659]: aries.transaction.jms
s.add("org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory");
s.add("org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory");
// [databind#2660]: caucho-quercus
s.add("com.caucho.config.types.ResourceRef");
// [databind#2662]: aoju/bus-proxy
s.add("org.aoju.bus.proxy.provider.RmiProvider");
s.add("org.aoju.bus.proxy.provider.remoting.RmiProvider");
// [databind#2664]: activemq-core, activemq-pool, activemq-pool-jms
s.add("org.apache.activemq.ActiveMQConnectionFactory"); // core
s.add("org.apache.activemq.ActiveMQXAConnectionFactory");
s.add("org.apache.activemq.spring.ActiveMQConnectionFactory");
s.add("org.apache.activemq.spring.ActiveMQXAConnectionFactory");
s.add("org.apache.activemq.pool.JcaPooledConnectionFactory"); // pool
s.add("org.apache.activemq.pool.PooledConnectionFactory");
s.add("org.apache.activemq.pool.XaPooledConnectionFactory");
s.add("org.apache.activemq.jms.pool.XaPooledConnectionFactory"); // pool-jms
s.add("org.apache.activemq.jms.pool.JcaPooledConnectionFactory");
// [databind#2666]: apache/commons-jms
s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");
// [databind#2682]: commons-jelly
s.add("org.apache.commons.jelly.impl.Embedded");
// [databind#2688]: apache/drill
s.add("oadd.org.apache.xalan.lib.sql.JNDIConnectionPool");
// [databind#2698]: weblogic w/ oracle/aq-jms
// (note: dependency not available via Maven Central, but as part of
// weblogic installation, possibly fairly old version(s))
s.add("oracle.jms.AQjmsQueueConnectionFactory");
s.add("oracle.jms.AQjmsXATopicConnectionFactory");
s.add("oracle.jms.AQjmsTopicConnectionFactory");
s.add("oracle.jms.AQjmsXAQueueConnectionFactory");
s.add("oracle.jms.AQjmsXAConnectionFactory");
// [databind#2764]: org.jsecurity:
s.add("org.jsecurity.realm.jndi.JndiRealmFactory");
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}
/**
* Set of class names of types that are never to be deserialized.
*/
protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES;
private final static SubTypeValidator instance = new SubTypeValidator();
protected SubTypeValidator() { }
public static SubTypeValidator instance() { return instance; }
public void validateSubType(DeserializationContext ctxt, JavaType type,
BeanDescription beanDesc) throws JsonMappingException
{
// There are certain nasty classes that could cause problems, mostly
// via default typing -- catch them here.
final Class<?> raw = type.getRawClass();
String full = raw.getName();
main_check:
do {
if (_cfgIllegalClassNames.contains(full)) {
break;
}
// 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling
// for some Spring framework types
// 05-Jan-2017, tatu: ... also, only applies to classes, not interfaces
if (raw.isInterface()) {
;
} else if (full.startsWith(PREFIX_SPRING)) {
for (Class<?> cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()){
String name = cls.getSimpleName();
// looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
if ("AbstractPointcutAdvisor".equals(name)
// ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts
|| "AbstractApplicationContext".equals(name)) {
break main_check;
}
}
} else if (full.startsWith(PREFIX_C3P0)) {
// [databind#1737]; more 3rd party
// s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
// s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
// [databind#1931]; more 3rd party
// com.mchange.v2.c3p0.ComboPooledDataSource
// com.mchange.v2.c3p0.debug.AfterCloseLoggingComboPooledDataSource
if (full.endsWith("DataSource")) {
break main_check;
}
}
return;
} while (false);
ctxt.reportBadTypeDefinition(beanDesc,
"Illegal type (%s) to deserialize: prevented for security reasons", full);
}
}
|
