From ca2bfc86af82a1479112004b663ba74c760752e6 Mon Sep 17 00:00:00 2001 From: lowchinwei Date: Thu, 17 Jun 2021 01:02:35 +0800 Subject: [PATCH] Backported CVE-2018-7489 (#3176) Co-authored-by: Chin Wei Low --- release-notes/VERSION | 1 + .../deser/BeanDeserializerFactory.java | 52 ++++++++++++++++--- 2 files changed, 46 insertions(+), 7 deletions(-) diff --git a/release-notes/VERSION b/release-notes/VERSION index 19c01038ac..2f80db95bf 100644 --- a/release-notes/VERSION +++ b/release-notes/VERSION @@ -17,6 +17,7 @@ Backported all CVE fixes up to CVE-2021-20190 #2986: Block 2 more gadget types (commons-dbcp2, CVE-2020-35490 / CVE-2020-35491) #2854: Block one more gadget type (javax.swing, CVE-2021-20190) #2798: Block one more gadget type (com.pastdev.httpcomponents, CVE-2020-24750) +#1931: Block two more gadgets to exploit default typing issue (c3p0, CVE-2018-7489) 2.6.7.4 (25-Oct-2020) diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java index 586e8d35d7..75296a8e4f 100644 --- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java +++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java @@ -34,6 +34,10 @@ public class BeanDeserializerFactory { private static final long serialVersionUID = 1; + protected final static String PREFIX_SPRING = "org.springframework."; + + protected final static String PREFIX_C3P0 = "com.mchange.v2.c3p0."; + /** * Signature of Throwable.initCause method. */ @@ -1072,13 +1076,47 @@ private void checkIllegalTypes(DeserializationContext ctxt, JavaType type, { // There are certain nasty classes that could cause problems, mostly // via default typing -- catch them here. - String full = type.getRawClass().getName(); + final Class raw = type.getRawClass(); + String full = raw.getName(); - if (_cfgIllegalClassNames.contains(full)) { - String message = String.format("Illegal type (%s) to deserialize: prevented for security reasons", - full); - throw ctxt.mappingException("Invalid type definition for type %s: %s", - beanDesc, message); - } + main_check: + do { + if (_cfgIllegalClassNames.contains(full)) { + break; + } + + // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling + // for some Spring framework types + // 05-Jan-2017, tatu: ... also, only applies to classes, not interfaces + if (raw.isInterface()) { + ; + } else if (full.startsWith(PREFIX_SPRING)) { + for (Class cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()){ + String name = cls.getSimpleName(); + // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there? + if ("AbstractPointcutAdvisor".equals(name) + // ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts + || "AbstractApplicationContext".equals(name)) { + break main_check; + } + } + } else if (full.startsWith(PREFIX_C3P0)) { + // [databind#1737]; more 3rd party + // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); + // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); + // [databind#1931]; more 3rd party + // com.mchange.v2.c3p0.ComboPooledDataSource + // com.mchange.v2.c3p0.debug.AfterCloseLoggingComboPooledDataSource + if (full.endsWith("DataSource")) { + break main_check; + } + } + return; + } while (false); + + String message = String.format("Illegal type (%s) to deserialize: prevented for security reasons", + full); + throw ctxt.mappingException("Invalid type definition for type %s: %s", + beanDesc, message); } }