Avoid unsafe deserialization
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
ID: java-security/json-unsafe-deserialization
Language: Java
Severity: Error
Category: Security
CWE: 502
Description
Deserialization of untrusted data can lead to undesired code execution. Use activateDefaultTyping
to prevent deserialization into random classes.
Learn More
Non-Compliant Code Examples
class Main {
public static void main(String[] args) {
ObjectMapper mapper = new ObjectMapper();
oneFunction();
oneFunction();
mapper.readValue(json, ABean.class);
foo.var();
anotherFunction();
}
}
Compliant Code Examples
class Main {
public static void main(String[] args) {
ObjectMapper mapper = new ObjectMapper();
oneFunction();
mapper.enableDefaultTyping();
anotherFunction();
mapper.readValue(json, ABean.class);
}
}
Seamless integrations. Try Datadog Code Analysis