Resolve vulnerability: Java Unsafe Jackson Deserialization

MR created from vulnerability: Java Unsafe Jackson Deserialization

AI GENERATED FIX

The suggested code changes were generated by GitLab Duo Vulnerability Resolution, an AI feature. Use this feature with caution. Before you run a pipeline or apply the code changes, carefully review and test them, to ensure that they solve the vulnerability.

The large language model that generated the suggested code changes was provided with the entire file that contains the vulnerable lines of code. It is not aware of any functionality outside of this context.

Please see our documentation for more information about this feature and leave feedback in this issue.

Description:

Jackson deserialization vulnerability in Java arises when applications using the Jackson library deserialize untrusted JSON data without proper safeguards, potentially leading to severe security risks like remote code execution (RCE).

1. Avoid using polymorphic type handling and avoid deserializing user input.
2. Absolutely avoid using Unsafe Base Types for fields. Types considered unsafe base types include:

• java.lang.Object
• java.io.Closeable
• java.io.Serializable
• java.lang.AutoCloseable
• java.lang.Cloneable
• java.util.logging.Handler
• javax.naming.Referenceable
• javax.sql.DataSource
  List of types compiled from a set of all known deserialization "gadgets", types they implement. Reference : https://github.com/FasterXML/jackson-databind/issues/2587

3. For explicit per-type/per-property polymorphic handling (@JsonTypeInfo), don’t use:

• @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) annotation 
• @JsonTypeInfo(use = JsonTypeInfo.Id.MINIMAL_CLASS) annotation Instead use:
• @JsonTypeInfo(use = JsonTypeInfo.Id.NAME) annotation where possible.

4. Use Safe Default Typing feature properly. Don’t use the deprecated ‘enableDefaultTyping()’.

• Refer: https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba
• Use Type Validators properly.
• Don’t explicitly allow unsafe base types

5. Avoid using com.fasterxml.jackson.databind.jsontype.impl.LaissezFaireSubTypeValidator

• Does not do any validation, allows all subtypes. Only used for backwards-compatibility reasons: users should usually NOT use such a permissive implementation but use allow-list/criteria - based implementation.
• Refer: https://fasterxml.github.io/jackson-databind/javadoc/2.11/com/fasterxml/jackson/databind/jsontype/impl/LaissezFaireSubTypeValidator.html

6. Use MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES where possible.

• Refer: https://cowtowncoder.medium.com/jackson-2-11-features-40cdc1d2bdf3

7. Regularly update to the latest version of Jackson library.

• Severity: medium
• Location: UnstrustedDeserialization.java:14

Analysis:

The reported vulnerability is related to unsafe Jackson deserialization (CWE-502: Deserialization of Untrusted Data). The specific issue is in the ObjectMapperNoncompliant method where enableDefaultTyping() is called on the Jackson ObjectMapper.

Key concerns:

1. enableDefaultTyping() allows polymorphic type handling, meaning the JSON input can specify the Java class to deserialize into
2. This creates a serious security risk as attackers can craft malicious JSON payloads that deserialize into dangerous classes
3. The vulnerability could lead to Remote Code Execution (RCE) by deserializing into classes that execute arbitrary code during initialization

The code already shows a compliant version using deactivateDefaultTyping(), which is the correct approach. However, the fix should go further by:

1. Using explicit type information instead of default typing
2. Implementing proper input validation
3. Using the newer Jackson API methods (enableDefaultTyping is deprecated)

Summary:

1. Vulnerability: The code contains an unsafe Jackson deserialization vulnerability (CWE-502) due to enabling default typing, which could allow attackers to execute arbitrary code through carefully crafted JSON payloads.

2. Fix Implementation: The fix:

   • Removes the dangerous enableDefaultTyping() call
   • Replaces it with deactivateDefaultTyping() to explicitly disable polymorphic type handling
   • Maintains the same method signature and functionality while removing the security risk

3. Security Impact: The fix prevents Remote Code Execution (RCE) attacks by:

   • Disabling polymorphic type handling
   • Forcing explicit type information for deserialization
   • Preventing attackers from specifying arbitrary classes in the JSON input

Additional recommendations:

// For newer Jackson versions (2.10+), consider using:
mapper.activateDefaultTyping(
    PolymorphicTypeValidator.builder()
        .allowIfBaseType(YourAllowedBaseClass.class)
        .build()
);

This vulnerability is particularly serious as it could lead to remote code execution. The fix ensures that the application only deserializes into explicitly allowed types, significantly reducing the attack surface.

Identifiers:

• CWE-502
• java_deserialization_rule-JacksonUnsafeDeserialization