Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
An example of a whitelist implemented with Jackson 2.10. Full code can be found at https://github.com/artem-smotrakov/javahell/tree/unsafe-jackson-example-v2/src/main/java/com/gypsyengineer/jackson/unsafe/one
package com.gypsyengineer.jackson.unsafe.one;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.json.JsonMapper;
import com.fasterxml.jackson.databind.jsontype.BasicPolymorphicTypeValidator;
import com.fasterxml.jackson.databind.jsontype.PolymorphicTypeValidator;
public class SaferPersonDeserialization {
private static final String bad =
"{\"name\":\"Bender\","
+ "\"age\":101,"
+ "\"phone\":{"
+ " \"@class\":\"com.popular.lib.Exec\","
+ " \"command\":\"calc\""
+ "}}";
public static void main(String[] args) throws Exception {
PolymorphicTypeValidator ptv =
BasicPolymorphicTypeValidator.builder()
.allowIfSubType("com.gypsyengineer.jackson")
.build();
ObjectMapper mapper = JsonMapper.builder()
.polymorphicTypeValidator(ptv)
.build();
try {
mapper.readValue(bad, Person.class);
} catch (Exception e) {
System.out.println("Deserialization failed: " + e);
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment