Skip to content

Latest commit

 

History

History
107 lines (82 loc) · 10 KB

mitigations.md

File metadata and controls

107 lines (82 loc) · 10 KB

Mitigation Strategies Analysis for alibaba/fastjson2

Mitigation Strategy: Disable AutoType and Similar Features

  • Description:

    1. Locate Configuration: Identify all places where fastjson2 is configured. This might include:
      • Direct calls to JSONReader.Feature.SupportAutoType.config(false).
      • Configuration files (e.g., Spring Boot properties, XML configurations) where fastjson2 settings are managed.
      • Framework-specific integrations (check documentation for your web framework, etc., for how they configure JSON parsing).
    2. Explicitly Disable: Ensure SupportAutoType is set to false in all identified locations. If using a higher-level API (like JSON.parseObject), trace the configuration down to the underlying fastjson2 settings to confirm this.
    3. Centralize (Recommended): If possible, consolidate fastjson2 configuration into a single, well-defined location (e.g., a dedicated configuration class) to avoid inconsistencies and make future updates easier.
    4. Verify: After making changes, use debugging or logging to confirm that SupportAutoType is indeed disabled during runtime. Attempting to deserialize a class based solely on the @type field should result in an error.
    5. Regularly Review: Periodically review the configuration to ensure that it hasn't been accidentally changed or overridden.

  • List of Threats Mitigated:

    • Threat: Remote Code Execution (RCE) via malicious @type field in JSON input.
      • Severity: Critical. Allows complete system compromise.
    • Threat: Deserialization of arbitrary, untrusted classes specified via @type.
      • Severity: High to Critical (depending on available "gadget" classes).
    • Threat: Denial of Service (DoS) via crafted JSON input that triggers excessive resource consumption during deserialization due to unexpected class instantiation.
      • Severity: High (can disrupt application availability).

  • Impact:

    • RCE: Risk reduced from Critical to Very Low (assuming no other vulnerabilities exist that allow class name injection outside of fastjson2's mechanisms).
    • Arbitrary Class Deserialization: Risk reduced from High/Critical to Very Low.
    • DoS (related to autoType): Risk significantly reduced, although other DoS vectors unrelated to fastjson2 might still exist.

  • Currently Implemented:

    • Example: "Implemented in com.example.config.FastJsonConfig class, applied globally to all JSON.parseObject calls. Also configured in Spring Boot's application.properties." Be specific about file paths and configuration keys.

  • Missing Implementation:

    • Example: "Missing implementation for the LegacyDataImportService, which uses a custom ObjectMapper that hasn't been reviewed for fastjson2 settings. We need to audit this component."

Mitigation Strategy: Implement a Strict Allowlist (if AutoType is Required)

  • Description:

    1. Justify Necessity: Rigorously justify the need for autoType. Explore alternative design patterns that avoid dynamic class instantiation from JSON. This is a critical first step.
    2. Identify Safe Classes: Create a list of only the absolutely essential classes that need to be deserialized via autoType. Each class should be fully vetted for security implications.
    3. Use addAccept(): Use ParserConfig.getGlobalInstance().addAccept("com.example.MySafeClass") for each allowed class. Use the fully qualified class name. Do not use wildcards.
    4. Avoid Wildcards/Prefixes: Do not use wildcards (e.g., com.example.*) or package prefixes in the allowlist. Be as specific as possible. This is crucial for security.
    5. Centralize Allowlist: Maintain the allowlist in a single, well-defined location (e.g., a configuration class or file).
    6. Regular Review: Periodically review and update the allowlist. Remove any classes that are no longer needed. This should be a scheduled task.
    7. Consider Custom Filters: For complex allowlist logic (beyond simple class name matching), implement a custom Filter to control deserialization behavior. fastjson2 provides interfaces for this.
    8. Test Thoroughly: Test the allowlist extensively to ensure that it allows only the intended classes and blocks all others. Use negative testing to confirm this.

  • List of Threats Mitigated:

    • Threat: RCE via malicious @type (but only if the attacker can find a "gadget" class within the allowlist).
      • Severity: High (reduced from Critical, but still significant). The risk depends entirely on the allowlist's contents.
    • Threat: Deserialization of arbitrary, untrusted classes (limited to the allowlist).
      • Severity: Medium (reduced from High/Critical).

  • Impact:

    • RCE: Risk reduced, but still present. The effectiveness depends entirely on the security of the classes in the allowlist and the absence of exploitable gadgets within those classes.
    • Arbitrary Class Deserialization: Risk significantly reduced, but not eliminated. The allowlist defines the scope of allowed classes.

  • Currently Implemented:

    • Example: "Not currently implemented. AutoType is disabled globally." OR "Implemented in com.example.config.FastJsonConfig for the SpecialDataProcessor component, which requires deserialization of specific DTOs. The allowlist contains: com.example.dto.DataA, com.example.dto.DataB."

  • Missing Implementation:

    • Example: "Not applicable, as AutoType is disabled." OR "Missing implementation for any new components that might require autoType in the future. A process needs to be established for reviewing and approving additions to the allowlist before they are implemented."

Mitigation Strategy: Use SafeMode (if available and applicable)

  • Description:

    1. Check Availability: Consult the fastjson2 documentation for your specific version to determine if SafeMode is supported and how it is implemented.
    2. Enable SafeMode: Follow the documented instructions to enable SafeMode. This might involve a configuration setting (e.g., a system property, environment variable) or a specific API call.
    3. Test Functionality: Thoroughly test your application after enabling SafeMode to ensure that it still functions correctly. SafeMode might disable features that your application relies on, so comprehensive testing is essential.
    4. Monitor for Compatibility Issues: Be aware of potential compatibility issues with other libraries or frameworks that interact with fastjson2.

  • List of Threats Mitigated:

    • Threat: RCE and other vulnerabilities related to autoType and similar features that SafeMode disables.
      • Severity: High to Critical (depending on the specific vulnerabilities addressed by SafeMode in the version you are using).
    • Threat: Deserialization of arbitrary classes (if SafeMode completely disables this).
      • Severity: High to Critical.

  • Impact:

    • RCE and related vulnerabilities: Risk significantly reduced, potentially to Very Low, depending on the comprehensiveness of SafeMode's protections.
    • Arbitrary Class Deserialization: Risk significantly reduced, potentially eliminated, if SafeMode fully disables this functionality.

  • Currently Implemented:

    • Example: "Not currently implemented. Will investigate compatibility with our current fastjson2 version (2.0.x)." OR "Implemented via the FASTJSON2_SAFE_MODE=true environment variable."

  • Missing Implementation:

    • Example: "Needs investigation and testing to determine if SafeMode is suitable for our application and if it provides sufficient protection without breaking required functionality."

Mitigation Strategy: Regularly Update fastjson2

  • Description:

    1. Dependency Management: Use a dependency management tool (Maven, Gradle, etc.) to manage the fastjson2 dependency. This is standard practice for managing external libraries.
    2. Automated Updates: Configure your build system to automatically check for new versions of fastjson2. Tools like Dependabot (for GitHub) can automate this.
    3. Security Notifications: Subscribe to security mailing lists or follow fastjson2's official channels (e.g., GitHub releases, project website) to receive notifications about security vulnerabilities and patches.
    4. Testing and Deployment: Establish a process for promptly testing and deploying updates, especially security patches. Prioritize updates that address CVEs (Common Vulnerabilities and Exposures).
    5. Rollback Plan: Have a rollback plan in place in case an update introduces compatibility issues or regressions.

  • List of Threats Mitigated:

    • Threat: Exploitation of known vulnerabilities in older versions of fastjson2.
      • Severity: Varies (from Low to Critical) depending on the specific vulnerability that has been patched.

  • Impact:

    • Known Vulnerabilities: Risk reduced to Very Low for vulnerabilities that have been patched in the updated version. This is a reactive mitigation, addressing issues after they are discovered.

  • Currently Implemented:

    • Example: "Implemented via Maven. We use Dependabot to automatically create pull requests for dependency updates. We have a staging environment for testing updates before production deployment." OR "Partially implemented. We manually check for updates every month, which is not frequent enough."

  • Missing Implementation:

    • Example: "Need to configure automated dependency updates and establish a faster response process for security patches. Our current manual process is too slow."