0

During testing , I have faced the issue.I have published a rest API with a controller class with a model input . While Calling the API , instead of a single string , an array [{"a":1,"b":2}] has been used. Which triggered the following error:

{

"timestamp": "2018-12-19T12:33:36.729+0000",
"status": 400,
"error": "Bad Request",
"message": "JSON parse error: Cannot deserialize instance of `java.lang.String` out of START_ARRAY token; nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot deserialize instance of `java.lang.String` out of START_ARRAY token\n at [Source: (PushbackInputStream); line: 3, column: 14] (through reference chain: com.xy.df.model.inputReq[\"req\"])",
"path": "x/y/z"

}

We did not imported JACKSON dependency in application , explicitly in POM. I have noticed in the parent pom jackson version used is :2.9.5

<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.9.5</version>
</dependency>

1.Is it vulnerable for RCE? How to resolve this in Spring-boot ? 2. How I can supress/override the exception message so that client never gets to know what libraries used underneath ?

SUBHODiP Ghosh
  • 61
  • 9

2 Answers2

3

JsonMappingException: out of START_ARRAY token exception is thrown by Jackson object mapper as it's expecting an Object {} whereas it found an Array [{}] in response.

This can be solved by replacing Object with Object[] in the argument for geForObject("url",Object[].class). References:

  1. Ref.1
  2. Ref.2
  3. Ref.3
Aritra Paul
  • 834
  • 1
  • 8
  • 14
  • Hello Aritra - ty for quick response. I don't want to pass arrays as request . It was done as part for regression with invalid input [{"a":1,"b":2}] . – SUBHODiP Ghosh Dec 19 '18 at 13:07
  • My questions was around the response , 1.Is the jackson version is vulnerable for RCE? How to resolve this in Spring-boot ? 2. How I can supress/override the exception message so that client never gets to know what libraries used underneath ? – SUBHODiP Ghosh Dec 19 '18 at 13:09
0

I have resolved issue . Before going ahead , one needs to understand couple of very useful annotations- @ExceptionHandler - This handler helps you define an error class for which you want to catch the exception @controller advice - It caters a cross cutting approach . Any class mentioned as controller advice , it is available for all the controller under your microservice.

@ControllerAdvice
public class ExceptionController {

    @Autowired
    SomeGenericResponse someGenericResponse ; /* data model of common response */

    @ExceptionHandler(value = <My case Jackson Class>.class)
    public ResponseEntity<SomeGenericResponse> CustomException(HttpServletRequest req, HttpServletResponse res,Exception ex) {


        someGenericResponse.setMessage("Your Message");
        someGenericResponse.setStatus("false");

        return new ResponseEntity<SomeGenericResponse> someGenericResponse ,HttpStatus.BAD_REQUEST);
    }
}
vvvvv
  • 25,404
  • 19
  • 49
  • 81
SUBHODiP Ghosh
  • 61
  • 9