Skip to content

io7m/dixmont

Repository files navigation

dixmont

Maven Central Maven Central (snapshot) Codecov

dixmont

JVM Platform Status
OpenJDK (Temurin) Current Linux Build (OpenJDK (Temurin) Current, Linux)
OpenJDK (Temurin) LTS Linux Build (OpenJDK (Temurin) LTS, Linux)
OpenJDK (Temurin) Current Windows Build (OpenJDK (Temurin) Current, Windows)
OpenJDK (Temurin) LTS Windows Build (OpenJDK (Temurin) LTS, Windows)

dixmont

Some useful extension classes for jackson.

Features

  • Restricted JSON deserializer for preventing reflection-based serialization attacks.
  • Written in pure Java 17.
  • OSGi ready.
  • JPMS ready.
  • ISC license.
  • High-coverage automated test suite.

Motivation

Systems that use reflection to deserialize data are typically subject to deserialization attacks. The jackson JSON library is no exception to this.

The dixmont package provides a blunt and brute-force means to reduce the impact of attacks: All of the permitted classes that can be deserialized are listed, and everything else is rejected.

Building

$ mvn clean verify

Usage

Create a restricted serializer that is permitted to deserialize only the given classes and no others, and then register it with an ObjectMapper:

var serializers =
  DmJsonRestrictedDeserializers.builder()
    .allowClass(Optional.class)
    .allowClass(Path.class)
    .allowClass(String.class)
    .allowClass(URI.class)
    .allowClass(int.class)
    .allowClass(double.class)
    .allowClass(List.class)
    .allowClassName(
      "java.util.Optional<java.lang.Integer>")
    .allowClassName(
      "java.util.List<java.lang.String>")
    .build();

var mapper =
  JsonMapper.builder()
    .build();

final var simpleModule = new SimpleModule();
simpleModule.setDeserializers(this.serializers);
mapper.registerModule(simpleModule);

Parser code using the given ObjectMapper will be prevented from deserializing values of anything other than the given classes. Hostile JSON text that attempts to get the deserializer to instantiate other classes will fail.