Deserialization of untrusted or potentially malformed data can be exploited for denial of service or to induce running untrusted code.
1public List ObjectMapperNoncompliant(final File input) throws Exception {
2 final ObjectMapper mapper = new ObjectMapper();
3 // Noncompliant: enabling default typing can introduce a remote code execution vulnerability.
4 mapper.enableDefaultTyping();
5 return mapper.readValue(input, List.class);
6}
1public List ObjectMapperCompliant(final File input) throws Exception {
2 final ObjectMapper mapper = new ObjectMapper();
3 // Compliant: disabling default typing prevents the vulnerability.
4 mapper.deactivateDefaultTyping();
5 return mapper.readValue(input, List.class);
6}