Deserialization of untrusted object High

Deserialization of untrusted or potentially malformed data can be exploited for denial of service or to induce running untrusted code.

Detector ID
java/untrusted-deserialization@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1public List ObjectMapperNoncompliant(final File input) throws Exception {
2    final ObjectMapper mapper = new ObjectMapper();
3    // Noncompliant: enabling default typing can introduce a remote code execution vulnerability.
4    mapper.enableDefaultTyping();
5    return mapper.readValue(input, List.class);
6}

Compliant example

1public List ObjectMapperCompliant(final File input) throws Exception {
2    final ObjectMapper mapper = new ObjectMapper();
3    // Compliant: disabling default typing prevents the vulnerability.
4    mapper.deactivateDefaultTyping();
5    return mapper.readValue(input, List.class);
6}