Decorative site banner
Project icon

com.io7m.dixmont

  • About
  • Releases
  • Manual
  • Sources
  • License
  • Issues
Maven Central Version Maven Snapshot Code Coverage

dixmont

Some useful extension classes for jackson.

Features

  • Restricted JSON deserializer for preventing reflection-based serialization attacks.
  • Written in pure Java 21.
  • OSGi ready.
  • JPMS ready.
  • ISC license.
  • High-coverage automated test suite.

Motivation

Systems that use reflection to deserialize data are typically subject to deserialization attacks. The jackson JSON library is no exception to this.

The dixmont package provides a blunt and brute-force means to reduce the impact of attacks: All of the permitted classes that can be deserialized are listed, and everything else is rejected.

Building

$ mvn clean verify

Usage

Create a restricted serializer that is permitted to deserialize only the given classes and no others, and then register it with an ObjectMapper:

var serializers = DmJsonRestrictedDeserializers.builder() .allowClass(Optional.class) .allowClass(Path.class) .allowClass(String.class) .allowClass(URI.class) .allowClass(int.class) .allowClass(double.class) .allowClass(List.class) .allowClassName( "java.util.Optional<java.lang.Integer>") .allowClassName( "java.util.List<java.lang.String>") .build(); var mapper = JsonMapper.builder() .build(); final var simpleModule = new SimpleModule(); simpleModule.setDeserializers(this.serializers); mapper.registerModule(simpleModule);

Parser code using the given ObjectMapper will be prevented from deserializing values of anything other than the given classes. Hostile JSON text that attempts to get the deserializer to instantiate other classes will fail.

Releases & Development Snapshots

Releases

You can subscribe to the atom feed to be notified of project releases.

The most recently released version of the package is 2.0.0.

2.0.0 Release (2024-05-11Z)

  • Update ch.qos.logback:logback-classic:1.4.14 → 1.5.6.
  • Update org.slf4j:slf4j-api:2.0.10 → 2.0.13.
  • Update junit.version:5.10.1 → 5.10.2.
  • Update jackson.version:2.16.1 → 2.17.0.
  • Update jackson.version:2.17.0 → 2.17.1.
  • Require JDK 21. (Backwards incompatible)
  • Move to new organization.

The compiled artifacts for the release (and all previous releases) are available on Maven Central.

Maven Modules

<dependency> <group>com.io7m.dixmont</group> <artifactId>com.io7m.dixmont.colors</artifactId> <version>2.0.0</version> </dependency><dependency> <group>com.io7m.dixmont</group> <artifactId>com.io7m.dixmont.core</artifactId> <version>2.0.0</version> </dependency><dependency> <group>com.io7m.dixmont</group> <artifactId>com.io7m.dixmont.tests</artifactId> <version>2.0.0</version> </dependency>

Previous Releases

The changelogs for the most recent previous releases are as follows:

1.0.0 Release (2023-06-11Z)

  • Initial major release.

Development Snapshots

At the time of writing, the current unstable development version of the package is 2.0.1-SNAPSHOT.

Development snapshots may be available in the Central Portal Snapshots repository. Snapshots are published to this repository every time the project is built by the project's continuous integration system, but snapshots do expire after around ninety days and so may or may not be available depending on when a build of the package was last triggered.

Manual

This project does not have any user manuals or other documentation beyond what might be present on the page above.

Sources

This project uses Git to manage source code.

Repository: https://www.github.com/io7m-com/dixmont

$ git clone --recursive https://www.github.com/io7m-com/dixmont

Issues

This project uses GitHub Issues to track issues.

License

Copyright © 2023 Mark Raynsford <code@io7m.com> https://www.io7m.com Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

Last Updated 2025-08-09T12:39:05Z