3

I'm currently investigating best practices for secure JSON deserialization of untrusted input for object mapping. After researching, it seems like...

the default jackson mapper: https://stackoverflow.com/questions/45846083/using-jackson-java-to-ensure-that-and-all-serialization-to-json-delimits-untrust

and OWASP JSON sanitizer https://www.owasp.org/index.php/OWASP_JSON_Sanitizer

...both accomplish what I'm looking for. From a security perspective, is there a reason to use the OWASP JSON sanitizer if we're already using jackson objectmapper?

Frostbyte
  • 89
  • 1
  • 4

1 Answers1

2

According to the NCC group's Jackson Deserialization Vulnerabilities:

Jackson does not perform typing by default (including collection generic types) and does not allow the specification of arbitrary types

Besides the link you gave, OWASP has a page on the Deserialization of untrusted data which explains how to handle types.

clairestreb
  • 136
  • 2