--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java 2016-07-23 03:36:51.000000000 +0100 +++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java 2017-07-20 15:42:39.836790820 +0100 @@ -139,6 +139,8 @@ if (!isPotentialBeanType(type.getRawClass())) { return null; } + // For checks like [databind#1599] + checkIllegalTypes(ctxt, type, beanDesc); // Use generic bean introspection to build deserializer return buildBeanDeserializer(ctxt, type, beanDesc); } @@ -826,4 +828,22 @@ // We default to 'false', i.e. not ignorable return (status == null) ? false : status.booleanValue(); } + + protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type, + BeanDescription beanDesc) + throws JsonMappingException + { + // There are certain nasty classes that could cause problems, mostly + // via default typing -- catch them here. + Class raw = type.getRawClass(); + String name = raw.getSimpleName(); + + if ("TemplatesImpl".equals(name)) { // [databind#1599] + if (raw.getName().startsWith("com.sun.org.apache.xalan")) { + throw JsonMappingException.from(ctxt, + String.format("Illegal type (%s) to deserialize: prevented for security reasons", + name)); + } + } + } } --- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java +++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java @@ -39,7 +39,33 @@ private final static Class[] INIT_CAUSE_PARAMS = new Class[] { Throwable.class }; private final static Class[] NO_VIEWS = new Class[0]; - + + /** + * Set of well-known "nasty classes", deserialization of which is considered dangerous + * and should (and is) prevented by default. + */ + protected final static Set DEFAULT_NO_DESER_CLASS_NAMES; + static { + Set s = new HashSet(); + // Courtesy of [https://github.com/kantega/notsoserial]: + // (and wrt [databind#1599] + s.add("org.apache.commons.collections.functors.InvokerTransformer"); + s.add("org.apache.commons.collections.functors.InstantiateTransformer"); + s.add("org.apache.commons.collections4.functors.InvokerTransformer"); + s.add("org.apache.commons.collections4.functors.InstantiateTransformer"); + s.add("org.codehaus.groovy.runtime.ConvertedClosure"); + s.add("org.codehaus.groovy.runtime.MethodClosure"); + s.add("org.springframework.beans.factory.ObjectFactory"); + s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); + s.add("org.apache.xalan.xsltc.trax.TemplatesImpl"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); + } + + /** + * Set of class names of types that are never to be deserialized. + */ + protected Set _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES; + /* /********************************************************** /* Life-cycle @@ -846,15 +871,11 @@ protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type, { // There are certain nasty classes that could cause problems, mostly // via default typing -- catch them here. - Class raw = type.getRawClass(); - String name = raw.getSimpleName(); - - if ("TemplatesImpl".equals(name)) { // [databind#1599] - if (raw.getName().startsWith("com.sun.org.apache.xalan")) { - throw JsonMappingException.from(ctxt, - String.format("Illegal type (%s) to deserialize: prevented for security reasons", - name)); - } + String full = type.getRawClass().getName(); + + if (_cfgIllegalClassNames.contains(full)) { + throw JsonMappingException.from(ctxt, + String.format("Illegal type (%s) to deserialize: prevented for security reasons", full)); } } }