Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change "invalid subtype" (security check) from BeanDeserializerFactory into ClassNameIdResolver #20

Open
cowtowncoder opened this issue Dec 12, 2017 · 0 comments
Open

Change "invalid subtype" (security check) from BeanDeserializerFactory into ClassNameIdResolver #20

cowtowncoder opened this issue Dec 12, 2017 · 0 comments

Comments

@cowtowncoder
Copy link
Member

Jackson 2.x intercepts attempts at deserializing certain "serialization gadget" classes with BeanDeserializerFactory, when locating deserializer. While this works, it happens at a point during which Class itself has already been resolved (from class name to Class object).
I am not 100% sure if this does trigger static initialization blocks, but if it does, then there is a potential concern still in allowing that to proceed.
And regardless of this aspect it seems better to catch the problem earlier, at least to the degree this is possible (some checks do require checking of inheritance hierarchy).

So: it would make sense to handle at least some of "serialization gadget" checks within ClassNameIdResolver, even if more checks were needed at a later point.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cowtowncoder