Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Potential vulnerability in JSON deserialization #628

Closed
GrrrDog opened this issue Aug 17, 2018 · 5 comments
Closed

Potential vulnerability in JSON deserialization #628

GrrrDog opened this issue Aug 17, 2018 · 5 comments
Assignees

Comments

@GrrrDog
Copy link

GrrrDog commented Aug 17, 2018

Current behavior

Jodd's Json parser supports polymorphic deserialization when setClassMetadataName is set.
If an application parses JSON with this configuration from an untrusted source, it could lead to remote code execution.
The problem is quite the same as in other Java JSON libraries.
Here you can read more:

Expected behavior

At least, you should mention security-implication of usage setClassMetadataName, similar to Jackson databind

Steps to Reproduce the Problem

If necessary, I could send an example of JSON which lead to RCE

@igr
Copy link
Member

igr commented Aug 17, 2018

True. Besides the documentation, I could add additional optional class name checks. For example, only to allow instantiation of classes from e.g. foo.domain.* (using wildcards).

wdyt?

@igr igr self-assigned this Aug 17, 2018
@GrrrDog
Copy link
Author

GrrrDog commented Aug 17, 2018

Class name check (whitelist) is a good solution.

@igr
Copy link
Member

igr commented Aug 17, 2018

Need a little help with naming:

Would the allowClass(String pattern) method name be a good one?

@igr igr closed this as completed in 9bffc39 Aug 17, 2018
@carnil
Copy link

carnil commented May 22, 2020

This issue appears to have been assigned CVE-2018-21234.

@xtt5480446
Copy link

Current behavior

Jodd's Json parser supports polymorphic deserialization when setClassMetadataName is set. If an application parses JSON with this configuration from an untrusted source, it could lead to remote code execution. The problem is quite the same as in other Java JSON libraries. Here you can read more:

Expected behavior

At least, you should mention security-implication of usage setClassMetadataName, similar to Jackson databind

Steps to Reproduce the Problem

If necessary, I could send an example of JSON which lead to RCE

Could you show me an example of JSON which lead to RCE?

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Development

No branches or pull requests

4 participants