Jackson can be configured to allow Polymorphic Type Handling, which may expose the application to deserialization attacks.

Why is this an issue?

When Jackson is configured to allow Polymorphic Type Handling (aka PTH), formerly known as Polymorphic Deserialization, "deserialization gadgets" may allow an attacker to perform remote code execution.

This rule raises an issue when:

What is the potential impact?

If an attacker can control the serialized data, they can craft malicious payloads that exploit deserialization gadgets present on the classpath. This can lead to remote code execution, allowing the attacker to run arbitrary commands on the server.

How to fix it

Code examples

Noncompliant code example

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping(); // Noncompliant

@JsonTypeInfo(use = Id.CLASS) // Noncompliant
abstract class PhoneNumber {
}

Compliant solution

ObjectMapper mapper = new ObjectMapper();

@JsonTypeInfo(use = Id.NAME)
abstract class PhoneNumber {
}

Resources

Documentation

Articles & blog posts

Standards