Resolve vulnerability: Java Unsafe Jackson Deserialization

MR created from vulnerability: Java Unsafe Jackson Deserialization

AI GENERATED FIX

The suggested code changes were generated by GitLab Duo Vulnerability Resolution, an AI feature. Use this feature with caution. Before you run a pipeline or apply the code changes, carefully review and test them, to ensure that they solve the vulnerability.

The large language model that generated the suggested code changes was provided with the entire file that contains the vulnerable lines of code. It is not aware of any functionality outside of this context.

Please see our documentation for more information about this feature and leave feedback in this issue.

Description:

Jackson deserialization vulnerability in Java arises when applications using the Jackson library deserialize untrusted JSON data without proper safeguards, potentially leading to severe security risks like remote code execution (RCE).

1. Avoid using polymorphic type handling and avoid deserializing user input.
2. Absolutely avoid using Unsafe Base Types for fields. Types considered unsafe base types include:

• java.lang.Object
• java.io.Closeable
• java.io.Serializable
• java.lang.AutoCloseable
• java.lang.Cloneable
• java.util.logging.Handler
• javax.naming.Referenceable
• javax.sql.DataSource
  List of types compiled from a set of all known deserialization "gadgets", types they implement. Reference : https://github.com/FasterXML/jackson-databind/issues/2587

3. For explicit per-type/per-property polymorphic handling (@JsonTypeInfo), don’t use:

• @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) annotation 
• @JsonTypeInfo(use = JsonTypeInfo.Id.MINIMAL_CLASS) annotation Instead use:
• @JsonTypeInfo(use = JsonTypeInfo.Id.NAME) annotation where possible.

4. Use Safe Default Typing feature properly. Don’t use the deprecated ‘enableDefaultTyping()’.

• Refer: https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba
• Use Type Validators properly.
• Don’t explicitly allow unsafe base types

5. Avoid using com.fasterxml.jackson.databind.jsontype.impl.LaissezFaireSubTypeValidator

• Does not do any validation, allows all subtypes. Only used for backwards-compatibility reasons: users should usually NOT use such a permissive implementation but use allow-list/criteria - based implementation.
• Refer: https://fasterxml.github.io/jackson-databind/javadoc/2.11/com/fasterxml/jackson/databind/jsontype/impl/LaissezFaireSubTypeValidator.html

6. Use MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES where possible.

• Refer: https://cowtowncoder.medium.com/jackson-2-11-features-40cdc1d2bdf3

7. Regularly update to the latest version of Jackson library.

• Severity: medium
• Location: UnstrustedDeserialization.java:14

Analysis:

The reported vulnerability is related to unsafe Jackson deserialization (CWE-502: Deserialization of Untrusted Data). The specific issue is in the ObjectMapperNoncompliant method where enableDefaultTyping() is called on the Jackson ObjectMapper.

The vulnerability occurs because enabling default typing allows Jackson to deserialize arbitrary Java types, including those that could be malicious. This creates a potential remote code execution vulnerability where an attacker could craft malicious JSON input that, when deserialized, could execute arbitrary code on the system.

Key concerns:

1. enableDefaultTyping() is deprecated since Jackson 2.10 due to security concerns
2. Allowing polymorphic deserialization of untrusted input is dangerous
3. The code is processing input from a File object, which could contain malicious content

The code already shows a compliant version that uses deactivateDefaultTyping(), but this is not the best modern approach to handle this security concern.

Summary:

1. Vulnerability: The code uses Jackson's enableDefaultTyping() method, which is deprecated and creates a remote code execution vulnerability through unsafe deserialization of untrusted data (CWE-502).

2. Fix Explanation: The fix implements the following security improvements:

   • Replaces the deprecated and unsafe enableDefaultTyping() with the newer activateDefaultTyping() method
   • Uses a PolymorphicTypeValidator to control which types can be deserialized
   • Sets the default typing to NONE to restrict polymorphic deserialization

3. Security Impact: The new implementation:

   • Prevents arbitrary class deserialization
   • Maintains type safety during deserialization
   • Reduces the risk of remote code execution attacks

// Before - Vulnerable
mapper.enableDefaultTyping();

// After - Secure
mapper.activateDefaultTyping(mapper.getPolymorphicTypeValidator(), 
    ObjectMapper.DefaultTyping.NONE);

For additional security, consider:

• Implementing a custom PolymorphicTypeValidator to whitelist allowed classes
• Using specific type information instead of generic List.class
• Validating input before deserialization
• Implementing proper error handling for malformed input

Identifiers:

• CWE-502
• java_deserialization_rule-JacksonUnsafeDeserialization