| JVM | Platform | Status |
|---|---|---|
| OpenJDK (Temurin) Current | Linux |  |
| OpenJDK (Temurin) LTS | Linux |  |
| OpenJDK (Temurin) Current | Windows |  |
| OpenJDK (Temurin) LTS | Windows |  |
Some useful extension classes for jackson.
- Restricted JSON deserializer for preventing reflection-based serialization attacks.
- Written in pure Java 21.
- OSGi ready.
- JPMS ready.
- ISC license.
- High-coverage automated test suite.
Systems that use reflection to deserialize data are typically subject to deserialization attacks. The jackson JSON library is no exception to this.
The dixmont package provides a blunt and brute-force means to reduce the
impact of attacks: All of the permitted classes that can be deserialized are
listed, and everything else is rejected.
$ mvn clean verify
Create a restricted serializer that is permitted to deserialize only the
given classes and no others, and then register it with an ObjectMapper:
var serializers =
DmJsonRestrictedDeserializers.builder()
.allowClass(Optional.class)
.allowClass(Path.class)
.allowClass(String.class)
.allowClass(URI.class)
.allowClass(int.class)
.allowClass(double.class)
.allowClass(List.class)
.allowClassName(
"java.util.Optional<java.lang.Integer>")
.allowClassName(
"java.util.List<java.lang.String>")
.build();
var mapper =
JsonMapper.builder()
.build();
final var simpleModule = new SimpleModule();
simpleModule.setDeserializers(this.serializers);
mapper.registerModule(simpleModule);
Parser code using the given ObjectMapper will be prevented from deserializing
values of anything other than the given classes. Hostile JSON text that attempts
to get the deserializer to instantiate other classes will fail.