Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit ea0991c

Browse files
artem-smotrakovartem-smotrakov
committed
Added Jackson to UnsafeDeserialization.qhelp
1 parent 97fca62 commit ea0991c

1 file changed

Lines changed: 12 additions & 2 deletions

File tree

java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,8 +14,8 @@ may have unforeseen effects, such as the execution of arbitrary code.
1414
</p>
1515
<p>
1616
There are many different serialization frameworks. This query currently
17-
supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap
18-
and Java IO serialization through <code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
17+
supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap,
18+
Jackson and Java IO serialization through <code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
1919
</p>
2020
</overview>
2121

@@ -76,6 +76,7 @@ SnakeYaml documentation on deserialization:
7676
<a href="https://bitbucket.org/asomov/snakeyaml/wiki/Documentation#markdown-header-loading-yaml">SnakeYaml deserialization</a>.
7777
</li>
7878
<li>
79+
<<<<<<< HEAD
7980
Hessian deserialization and related gadget chains:
8081
<a href="https://paper.seebug.org/1137/">Hessian deserialization</a>.
8182
</li>
@@ -90,6 +91,15 @@ Remote code execution in JYaml library:
9091
<li>
9192
JsonIO deserialization vulnerabilities:
9293
<a href="https://klezvirus.github.io/Advanced-Web-Hacking/Serialisation/">JsonIO deserialization</a>.
94+
=======
95+
Research by Moritz Bechler:
96+
<a href="https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true">Java Unmarshaller Security - Turning your data into code execution</a>
97+
</li>
98+
<li>
99+
Blog posts by the developer of Jackson libraries:
100+
<a href="https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062">On Jackson CVEs: Don’t Panic — Here is what you need to know</a>
101+
<a href="https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba">Jackson 2.10: Safe Default Typing</a>
102+
>>>>>>> Added Jackson to UnsafeDeserialization.qhelp
93103
</li>
94104
</references>
95105

0 commit comments

Comments
 (0)