CVE-2017-7525

@@ -10,7 +10,7 @@
 
   <groupId>com.fasterxml.jackson.core</groupId>
   <artifactId>jackson-databind</artifactId>
-  <version>2.6.8-SNAPSHOT</version>
+  <version>2.6.7.1-SNAPSHOT</version>
   <name>jackson-databind</name>
   <packaging>bundle</packaging>
   <description>General data-binding functionality for Jackson: works on core streaming API</description>

@@ -4,9 +4,10 @@ Project: jackson-databind
 === Releases ===
 ------------------------------------------------------------------------
 
-2.6.8 (if ever released)
+2.6.7.1 (11-Jul-2017)
 
 #1383: Problem with `@JsonCreator` with 1-arg factory-method, implicit param names
+#1599: Backport the extra safety checks for polymorphic deserialization
 
 2.6.7 (05-Jun-2016)
 

@@ -40,7 +40,32 @@ public class BeanDeserializerFactory
     private final static Class<?>[] INIT_CAUSE_PARAMS = new Class<?>[] { Throwable.class };
 
     private final static Class<?>[] NO_VIEWS = new Class<?>[0];
-    
+
+    /**
+     * Set of well-known "nasty classes", deserialization of which is considered dangerous
+     * and should (and is) prevented by default.
+     */
+    private final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
+    static {
+        Set<String> s = new HashSet<String>();
+        // Courtesy of [https://github.com/kantega/notsoserial]:
+        // (and wrt [databind#1599]
+        s.add("org.apache.commons.collections.functors.InvokerTransformer");
+        s.add("org.apache.commons.collections.functors.InstantiateTransformer");
+        s.add("org.apache.commons.collections4.functors.InvokerTransformer");
+        s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
+        s.add("org.codehaus.groovy.runtime.ConvertedClosure");
+        s.add("org.codehaus.groovy.runtime.MethodClosure");
+        s.add("org.springframework.beans.factory.ObjectFactory");
+        s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
+        DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+    }
+
+    /**
+     * Set of class names of types that are never to be deserialized.
+     */
+    private Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES;
+
     /*
     /**********************************************************
     /* Life-cycle
@@ -138,6 +163,8 @@ public JsonDeserializer<Object> createBeanDeserializer(DeserializationContext ct
         if (!isPotentialBeanType(type.getRawClass())) {
             return null;
         }
+        // For checks like [databind#1599]
+        checkIllegalTypes(ctxt, type, beanDesc);
         // Use generic bean introspection to build deserializer
         return buildBeanDeserializer(ctxt, type, beanDesc);
     }
@@ -836,4 +863,20 @@ protected boolean isIgnorableType(DeserializationConfig config, BeanDescription
         // We default to 'false', i.e. not ignorable
         return (status == null) ? false : status.booleanValue(); 
     }
+
+    private void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
+            BeanDescription beanDesc)
+        throws JsonMappingException
+    {
+        // There are certain nasty classes that could cause problems, mostly
+        // via default typing -- catch them here.
+        String full = type.getRawClass().getName();
+
+        if (_cfgIllegalClassNames.contains(full)) {
+            String message = String.format("Illegal type (%s) to deserialize: prevented for security reasons",
+                    full);
+            throw ctxt.mappingException("Invalid type definition for type %s: %s",
+                    beanDesc, message);
+        }
+    }
 }

@@ -0,0 +1,40 @@
+package com.fasterxml.jackson.databind.interop;
+
+import com.fasterxml.jackson.databind.*;
+
+/**
+ * Test case(s) to guard against handling of types that are illegal to handle
+ * due to security constraints.
+ */
+public class IllegalTypesCheckTest extends BaseMapTest
+{
+    static class Bean1599 {
+        public int id;
+        public Object obj;
+    }
+
+    public void testIssue1599() throws Exception
+    {
+        final String JSON = aposToQuotes(
+ "{'id': 124,\n"
++" 'obj':[ 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl',\n"
++"  {\n"
++"    'transletBytecodes' : [ 'AAIAZQ==' ],\n"
++"    'transletName' : 'a.b',\n"
++"    'outputProperties' : { }\n"
++"  }\n"
++" ]\n"
++"}"
+        );
+        ObjectMapper mapper = new ObjectMapper();
+        mapper.enableDefaultTyping();
+        try {
+            mapper.readValue(JSON, Bean1599.class);
+            fail("Should not pass");
+        } catch (JsonMappingException e) {
+            verifyException(e, "Illegal type");
+            verifyException(e, "to deserialize");
+            verifyException(e, "prevented for security reasons");
+        }
+    }
+}
\ No newline at end of file

@@ -55,6 +55,7 @@ public class BeanDeserializerFactory
         s.add("org.codehaus.groovy.runtime.MethodClosure");
         s.add("org.springframework.beans.factory.ObjectFactory");
         s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
+        s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 

@@ -58,6 +58,7 @@ public class BeanDeserializerFactory
         s.add("org.codehaus.groovy.runtime.MethodClosure");
         s.add("org.springframework.beans.factory.ObjectFactory");
         s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
+        s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 

@@ -57,6 +57,7 @@ public class BeanDeserializerFactory
         s.add("org.codehaus.groovy.runtime.MethodClosure");
         s.add("org.springframework.beans.factory.ObjectFactory");
         s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
+        s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 

@@ -80,6 +80,8 @@ Project: jackson-databind
 #1585: Invoke ServiceLoader.load() inside of a privileged block when loading
   modules using `ObjectMapper.findModules()`
  (contributed by Ivo S)
+#1599: Jackson Deserializer security vulnerability
+ (reported by ayound@github)
 
 2.8.8 (05-Apr-2017)
 

@@ -36,6 +36,35 @@ public class BeanDeserializerFactory
      */
     private final static Class<?>[] INIT_CAUSE_PARAMS = new Class<?>[] { Throwable.class };
 
+    /**
+     * Set of well-known "nasty classes", deserialization of which is considered dangerous
+     * and should (and is) prevented by default.
+     *
+     * @since 2.8.9
+     */
+    protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
+    static {
+        Set<String> s = new HashSet<>();
+        // Courtesy of [https://github.com/kantega/notsoserial]:
+        // (and wrt [databind#1599]
+        s.add("org.apache.commons.collections.functors.InvokerTransformer");
+        s.add("org.apache.commons.collections.functors.InstantiateTransformer");
+        s.add("org.apache.commons.collections4.functors.InvokerTransformer");
+        s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
+        s.add("org.codehaus.groovy.runtime.ConvertedClosure");
+        s.add("org.codehaus.groovy.runtime.MethodClosure");
+        s.add("org.springframework.beans.factory.ObjectFactory");
+        s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
+        DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+    }
+
+    /**
+     * Set of class names of types that are never to be deserialized.
+     *
+     * @since 2.8.9
+     */
+    protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES;
+
     /*
     /**********************************************************
     /* Life-cycle
@@ -130,6 +159,8 @@ public JsonDeserializer<Object> createBeanDeserializer(DeserializationContext ct
         if (!isPotentialBeanType(type.getRawClass())) {
             return null;
         }
+        // For checks like [databind#1599]
+        checkIllegalTypes(ctxt, type, beanDesc);
         // Use generic bean introspection to build deserializer
         return buildBeanDeserializer(ctxt, type, beanDesc);
     }
@@ -901,4 +932,21 @@ protected boolean isIgnorableType(DeserializationConfig config, BeanPropertyDefi
         ignoredTypes.put(type, status);
         return status.booleanValue();
     }
+
+    /**
+     * @since 2.8.9
+     */
+    protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
+            BeanDescription beanDesc)
+        throws JsonMappingException
+    {
+        // There are certain nasty classes that could cause problems, mostly
+        // via default typing -- catch them here.
+        String full = type.getRawClass().getName();
+
+        if (_cfgIllegalClassNames.contains(full)) {
+            ctxt.reportBadTypeDefinition(beanDesc,
+                    "Illegal type (%s) to deserialize: prevented for security reasons", full);
+        }
+    }
 }

@@ -0,0 +1,45 @@
+package com.fasterxml.jackson.databind.interop;
+
+import com.fasterxml.jackson.databind.*;
+import com.fasterxml.jackson.databind.exc.InvalidDefinitionException;
+
+/**
+ * Test case(s) to guard against handling of types that are illegal to handle
+ * due to security constraints.
+ */
+public class IllegalTypesCheckTest extends BaseMapTest
+{
+    static class Bean1599 {
+        public int id;
+        public Object obj;
+    }
+    
+    public void testIssue1599() throws Exception
+    {
+        final String NASTY_CLASS = "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl";
+        final String JSON = aposToQuotes(
+ "{'id': 124,\n"
++" 'obj':[ '"+NASTY_CLASS+"',\n"
++"  {\n"
++"    'transletBytecodes' : [ 'AAIAZQ==' ],\n"
++"    'transletName' : 'a.b',\n"
++"    'outputProperties' : { }\n"
++"  }\n"
++" ]\n"
++"}"
+        );
+        ObjectMapper mapper = new ObjectMapper();
+        mapper.enableDefaultTyping();
+        try {
+            mapper.readValue(JSON, Bean1599.class);
+            fail("Should not pass");
+        } catch (InvalidDefinitionException e) {
+            verifyException(e, "Illegal type");
+            verifyException(e, "to deserialize");
+            verifyException(e, "prevented for security reasons");
+            BeanDescription desc = e.getBeanDescription();
+            assertNotNull(desc);
+            assertEquals(NASTY_CLASS, desc.getBeanClass().getName());
+        }
+    }
+}

@@ -8,6 +8,8 @@ Project: jackson-databind
 #1585: Invoke ServiceLoader.load() inside of a privileged block when loading
   modules using `ObjectMapper.findModules()`
  (contributed by Ivo S)
+#1599: Jackson Deserializer security vulnerability
+ (reported by ayound@github)
 
 2.8.8 (05-Apr-2017)
 

@@ -38,7 +38,36 @@ public class BeanDeserializerFactory
     private final static Class<?>[] INIT_CAUSE_PARAMS = new Class<?>[] { Throwable.class };
 
     private final static Class<?>[] NO_VIEWS = new Class<?>[0];
-    
+
+    /**
+     * Set of well-known "nasty classes", deserialization of which is considered dangerous
+     * and should (and is) prevented by default.
+     *
+     * @since 2.8.9
+     */
+    protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
+    static {
+        Set<String> s = new HashSet<>();
+        // Courtesy of [https://github.com/kantega/notsoserial]:
+        // (and wrt [databind#1599]
+        s.add("org.apache.commons.collections.functors.InvokerTransformer");
+        s.add("org.apache.commons.collections.functors.InstantiateTransformer");
+        s.add("org.apache.commons.collections4.functors.InvokerTransformer");
+        s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
+        s.add("org.codehaus.groovy.runtime.ConvertedClosure");
+        s.add("org.codehaus.groovy.runtime.MethodClosure");
+        s.add("org.springframework.beans.factory.ObjectFactory");
+        s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
+        DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+    }
+
+    /**
+     * Set of class names of types that are never to be deserialized.
+     *
+     * @since 2.8.9
+     */
+    protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES;
+
     /*
     /**********************************************************
     /* Life-cycle
@@ -137,6 +166,8 @@ public JsonDeserializer<Object> createBeanDeserializer(DeserializationContext ct
         if (!isPotentialBeanType(type.getRawClass())) {
             return null;
         }
+        // For checks like [databind#1599]
+        checkIllegalTypes(ctxt, type, beanDesc);
         // Use generic bean introspection to build deserializer
         return buildBeanDeserializer(ctxt, type, beanDesc);
     }
@@ -855,4 +886,21 @@ protected boolean isIgnorableType(DeserializationConfig config, BeanDescription
         ignoredTypes.put(type, status);
         return status.booleanValue();
     }
+
+    /**
+     * @since 2.8.9
+     */
+    protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
+            BeanDescription beanDesc)
+        throws JsonMappingException
+    {
+        // There are certain nasty classes that could cause problems, mostly
+        // via default typing -- catch them here.
+        String full = type.getRawClass().getName();
+
+        if (_cfgIllegalClassNames.contains(full)) {
+            ctxt.reportBadTypeDefinition(beanDesc,
+                    "Illegal type (%s) to deserialize: prevented for security reasons", full);
+        }
+    }
 }

@@ -0,0 +1,40 @@
+package com.fasterxml.jackson.databind.interop;
+
+import com.fasterxml.jackson.databind.*;
+
+/**
+ * Test case(s) to guard against handling of types that are illegal to handle
+ * due to security constraints.
+ */
+public class IllegalTypesCheckTest extends BaseMapTest
+{
+    static class Bean1599 {
+        public int id;
+        public Object obj;
+    }
+    
+    public void testIssue1599() throws Exception
+    {
+        final String JSON = aposToQuotes(
+ "{'id': 124,\n"
++" 'obj':[ 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl',\n"
++"  {\n"
++"    'transletBytecodes' : [ 'AAIAZQ==' ],\n"
++"    'transletName' : 'a.b',\n"
++"    'outputProperties' : { }\n"
++"  }\n"
++" ]\n"
++"}"
+        );
+        ObjectMapper mapper = new ObjectMapper();
+        mapper.enableDefaultTyping();
+        try {
+            mapper.readValue(JSON, Bean1599.class);
+            fail("Should not pass");
+        } catch (JsonMappingException e) {
+            verifyException(e, "Illegal type");
+            verifyException(e, "to deserialize");
+            verifyException(e, "prevented for security reasons");
+        }
+    }
+}

@@ -6,6 +6,8 @@ Project: jackson-databind
 
 2.7.10 (not yet released)
 
+#1599: Jackson Deserializer security vulnerability
+ (reported by ayound@github)
 - Minor robustification of method resolution in `AnnotatedClass`
 
 2.7.9 (04-Feb-2017)

@@ -139,6 +139,8 @@ public JsonDeserializer<Object> createBeanDeserializer(DeserializationContext ct
         if (!isPotentialBeanType(type.getRawClass())) {
             return null;
         }
+        // For checks like [databind#1599]
+        checkIllegalTypes(ctxt, type, beanDesc);
         // Use generic bean introspection to build deserializer
         return buildBeanDeserializer(ctxt, type, beanDesc);
     }
@@ -834,4 +836,25 @@ protected boolean isIgnorableType(DeserializationConfig config, BeanDescription
         // We default to 'false', i.e. not ignorable
         return (status == null) ? false : status.booleanValue(); 
     }
+
+    /**
+     * @since 2.8.9
+     */
+    protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
+            BeanDescription beanDesc)
+        throws JsonMappingException
+    {
+        // There are certain nasty classes that could cause problems, mostly
+        // via default typing -- catch them here.
+        Class<?> raw = type.getRawClass();
+        String name = raw.getSimpleName();
+
+        if ("TemplatesImpl".equals(name)) { // [databind#1599] 
+            if (raw.getName().startsWith("com.sun.org.apache.xalan")) {
+                throw JsonMappingException.from(ctxt,
+                        String.format("Illegal type (%s) to deserialize: prevented for security reasons",
+                                name));
+            }
+        }
+    }
 }

@@ -0,0 +1,40 @@
+package com.fasterxml.jackson.databind.interop;
+
+import com.fasterxml.jackson.databind.*;
+
+/**
+ * Test case(s) to guard against handling of types that are illegal to handle
+ * due to security constraints.
+ */
+public class IllegalTypesCheckTest extends BaseMapTest
+{
+    static class Bean1599 {
+        public int id;
+        public Object obj;
+    }
+    
+    public void testIssue1599() throws Exception
+    {
+        final String JSON = aposToQuotes(
+ "{'id': 124,\n"
++" 'obj':[ 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl',\n"
++"  {\n"
++"    'transletBytecodes' : [ 'AAIAZQ==' ],\n"
++"    'transletName' : 'a.b',\n"
++"    'outputProperties' : { }\n"
++"  }\n"
++" ]\n"
++"}"
+        );
+        ObjectMapper mapper = new ObjectMapper();
+        mapper.enableDefaultTyping();
+        try {
+            mapper.readValue(JSON, Bean1599.class);
+            fail("Should not pass");
+        } catch (JsonMappingException e) {
+            verifyException(e, "Illegal type");
+            verifyException(e, "to deserialize");
+            verifyException(e, "prevented for security reasons");
+        }
+    }
+}