Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Using Jackson/Java to ensure that and all serialization to JSON delimits untrusted data within single or double quotes escapes any special characters?

Tags:

java

json

serialization

jackson

fortify

I have the following Fortify security issue:

JSON Injection: Ensure that all serialization is performed using a safe serialization function that delimits untrusted data within single or double quotes and escapes any special characters.

Below is my code:

public String saveJson(String json, long ID, String userId) throws SQLException, JsonParseException, JsonMappingException, IOException
    {

        ObjectMapper objectMapper = new ObjectMapper();

        List<item> listOfNewItems = objectMapper.readValue(json, new TypeReference<List<item>>(){});
        userId= userFactory.getUser().getID();
        String message = saveJson(listOfNewItems,ID,userId);

        return message;
    }

I am trying to maybe use

org.codehaus.jackson.io.JsonStringEncoder.getInstance().quoteAsString(json);

or maybe

objectMapper.configure(JsonGenerator.Feature.QUOTE_FIELD_NAMES, false);
            objectMapper.configure(JsonParser.Feature.ALLOW_UNQUOTED_FIELD_NAMES, true);

but not sure?

More details on the error:

writes unvalidated input into JSON

Any ideas?

like image 554
user8507628 Avatar asked Aug 23 '17 17:08

user8507628

People also ask

What is Jackson serialization and Deserialization?

Jackson is a powerful and efficient Java library that handles the serialization and deserialization of Java objects and their JSON representations. It's one of the most widely used libraries for this task, and runs under the hood of many other frameworks.

What is the use of Jackson ObjectMapper?

ObjectMapper is the main actor class of Jackson library. ObjectMapper class ObjectMapper provides functionality for reading and writing JSON, either to and from basic POJOs (Plain Old Java Objects), or to and from a general-purpose JSON Tree Model (JsonNode), as well as related functionality for performing conversions.

1 Answers

The comments so far from mikaelhg and gagan singh are correct:

  1. Jackson ObjectMapper on its default settings will already "Ensure that all serialization is performed using a safe serialization function that delimits untrusted data within single or double quotes and escapes any special characters."

  2. The code you have shown is deserialization, not serialization (and/or is broken or incorrectly copied)

like image 144
Rich Avatar answered Sep 19 '22 17:09

Rich
Sign in to Comment

Related questions

Is there a scenario where Java7's Hashmap implementation is preferred to Java8's implementation
@WithMockUser doesn't work in Integration Test - Spring boot
Catching exception thrown in AuthenticationProvider
Getting touch coordinates not accurate in ImageView FloodFill Algorithm
Translate jardesc content into jar-command
How to retransform an executing method with JVMTI agent which has no further invocations?
How to Post JSON array using Retrofit 2
How to use memoization in counting a large number of matrices
How to log actual repository class names using spring AOP instead of proxy?
Style lost when combining workbooks with aspose
Consul and Spring Boot services in Docker - not deregistering
Microservices with gRPC and REST using Spring Boot
How to receive phone call events
Significant performance difference between neo4j direct access and via OGM
FlyWayDB - Unable to resolve location classpath
Why does JUnit take so long to launch from Eclipse?
Uima Ruta Out of Memory issue in spark context
Getting null values when using ConfigurationProperties on Spring boot
A partial match changes the Matcher's position
Unable to create class org.apache.logging.log4j.core.impl.Log4jContextFactory

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!