From bcf31e2529824dcb2cd66f14e872ef3c898f340c Mon Sep 17 00:00:00 2001
From: Torsten Grote <t@grobox.de>
Date: Wed, 17 Nov 2021 09:30:33 -0300
Subject: [PATCH] Block unsafe polymorphic types for Jackson deserialization
---
.../mailbox/core/server/WebServerManager.kt | 5 +-
.../core/server/WebServerIntegrationTest.kt | 52 +++++++++++++++++++
2 files changed, 56 insertions(+), 1 deletion(-)
diff --git a/mailbox-core/src/main/java/org/briarproject/mailbox/core/server/WebServerManager.kt b/mailbox-core/src/main/java/org/briarproject/mailbox/core/server/WebServerManager.kt
index 96889cbb..c491add4 100644
--- a/mailbox-core/src/main/java/org/briarproject/mailbox/core/server/WebServerManager.kt
+++ b/mailbox-core/src/main/java/org/briarproject/mailbox/core/server/WebServerManager.kt
@@ -1,5 +1,6 @@
package org.briarproject.mailbox.core.server
+import com.fasterxml.jackson.databind.MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES
import io.ktor.application.install
import io.ktor.auth.Authentication
import io.ktor.features.CallLogging
@@ -50,7 +51,9 @@ internal class WebServerManagerImpl @Inject constructor(
}
}
install(ContentNegotiation) {
- jackson()
+ jackson {
+ enable(BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES)
+ }
}
configureBasicApi(setupManager, wipeManager)
configureContactApi(contactsManager)
diff --git a/mailbox-core/src/test/java/org/briarproject/mailbox/core/server/WebServerIntegrationTest.kt b/mailbox-core/src/test/java/org/briarproject/mailbox/core/server/WebServerIntegrationTest.kt
index 0d363e3a..f84eee63 100644
--- a/mailbox-core/src/test/java/org/briarproject/mailbox/core/server/WebServerIntegrationTest.kt
+++ b/mailbox-core/src/test/java/org/briarproject/mailbox/core/server/WebServerIntegrationTest.kt
@@ -1,9 +1,27 @@
package org.briarproject.mailbox.core.server
+import com.fasterxml.jackson.annotation.JsonTypeInfo
+import com.fasterxml.jackson.databind.MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES
+import io.ktor.application.call
+import io.ktor.application.install
import io.ktor.client.request.get
+import io.ktor.client.request.post
import io.ktor.client.statement.HttpResponse
import io.ktor.client.statement.readText
+import io.ktor.features.CallLogging
+import io.ktor.features.ContentNegotiation
+import io.ktor.http.ContentType
+import io.ktor.http.HttpStatusCode
+import io.ktor.http.contentType
+import io.ktor.jackson.jackson
+import io.ktor.request.receive
+import io.ktor.response.respond
+import io.ktor.routing.post
+import io.ktor.routing.routing
+import io.ktor.server.engine.embeddedServer
+import io.ktor.server.netty.Netty
import kotlinx.coroutines.runBlocking
+import org.briarproject.mailbox.core.server.WebServerManager.Companion.PORT
import org.junit.jupiter.api.Test
import kotlin.test.assertEquals
@@ -22,4 +40,38 @@ class WebServerIntegrationTest : IntegrationTest() {
assertEquals(404, response.status.value)
}
+ @Test
+ fun testJacksonUnsafeDeserialization(): Unit = runBlocking {
+ val port = PORT + 1
+ val server = embeddedServer(Netty, port, watchPaths = emptyList()) {
+ install(CallLogging)
+ install(ContentNegotiation) {
+ jackson {
+ enable(BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES)
+ }
+ }
+ routing {
+ post("/") {
+ println(call.receive<Wrapper>())
+ call.respond(HttpStatusCode.OK, "OK")
+ }
+ }
+ }
+ try {
+ server.start()
+ val response = httpClient.post<HttpResponse>("http://127.0.0.1:$port/") {
+ contentType(ContentType.Application.Json)
+ body = Wrapper().apply { value = "foo" }
+ }
+ assertEquals(500, response.status.value)
+ } finally {
+ server.stop(0, 0)
+ }
+ }
+
+ internal class Wrapper {
+ @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
+ var value: Any? = null
+ }
+
}
--
GitLab