Jackson can be configured to allow Polymorphic Type Handling, which may expose the application to deserialization attacks.
When Jackson is configured to allow Polymorphic Type Handling (aka PTH), formerly known as Polymorphic Deserialization, "deserialization gadgets" may allow an attacker to perform remote code execution.
This rule raises an issue when:
enableDefaultTyping() is called on an instance of com.fasterxml.jackson.databind.ObjectMapper or
org.codehaus.jackson.map.ObjectMapper.@JsonTypeInfo is set at class, interface or field levels and configured with use =
JsonTypeInfo.Id.CLASS or use = Id.MINIMAL_CLASS.If an attacker can control the serialized data, they can craft malicious payloads that exploit deserialization gadgets present on the classpath. This can lead to remote code execution, allowing the attacker to run arbitrary commands on the server.
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping(); // Noncompliant
@JsonTypeInfo(use = Id.CLASS) // Noncompliant
abstract class PhoneNumber {
}
ObjectMapper mapper = new ObjectMapper();
@JsonTypeInfo(use = Id.NAME)
abstract class PhoneNumber {
}