1

I am using RestTemplate.exchange to get data from a URI. I have no control over how the JSON is returned, and for unknown reasons it happens to be line-delimited JSON (also called JSON Lines, dljson, JSONL):

{}\n
{}\n
{}

This is using Spring Boot version 2.1.6. Updating might become an option, but not soon. I have a method that parses it very nicely into a list of objects:

String dataFile = response.getData().getDataFile();
    RestTemplate restTemplate = new RestTemplate();

    MappingJackson2HttpMessageConverter mappingJackson2HttpMessageConverter = new MappingJackson2HttpMessageConverter();
    mappingJackson2HttpMessageConverter.setSupportedMediaTypes(Arrays.asList(MediaType.APPLICATION_JSON, MediaType.APPLICATION_OCTET_STREAM));
    restTemplate.getMessageConverters().add(mappingJackson2HttpMessageConverter);
    ResponseEntity<String> responseEntity = restTemplate.exchange(new URI(dataFile), HttpMethod.GET, new HttpEntity<>(new HttpHeaders()), String.class);

    ObjectMapper mapper = new ObjectMapper();
    mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, true);
    MappingIterator<TheDataObject> jrParser = mapper.readerFor(TheDataObject.class).readValues(responseEntity.getBody());
    ArrayList<TheDataObject> theList = new ArrayList<>();
    while(jrParser.hasNextValue()) {
        theList.add(jrParser.nextValue());
    }
    return theList;

I would leave it at this, but Coverity condemns the use of the String class in ResponseEntity<String>, stating that trusting such a string, allows for an attack vector.

How do I set the ObjectMapper to do what it's doing before the exchange call?

Addition: Here's everything Coverity says about it:

  1. tainted_source: org.springframework.http.HttpEntity.getBody() returns data from a network socket.

CID #: Unsafe deserialization (UNSAFE_DESERIALIZATION)2. sink: A tainted value (java.lang.String)responseEntity.getBody() is deserialized. This may allow an attacker to bypass security checks or execute arbitrary code.

If possible, use pure data formats such as JSON or XML to serialize and deserialize untrusted data. Otherwise, if you must use native serialization methods, check the integrity of the data (for example with HMAC) before deserializing it.

For Serious
  • 39
  • 6
  • Are you sure the Coverity problem you mention is about using a JSON String to parse content ? Other alternative would probably use a byte[] representation rather than a String and the problem would be still there: you parse a JSON from a foreign source. – NoDataFound Dec 14 '21 at 23:31
  • It would be helpful to see the exact Coverity error message. – Scott McPeak Dec 15 '21 at 03:23
  • Sure. I added it to the end. – For Serious Dec 15 '21 at 15:17

0 Answers0