Using features such as @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
or ObjectMapper.enableDefaultTyping()
with Jackson can be a security risk, as such configurations are stepping stones towards a successful exploit.
Jackson is a well known serialization/deserialization library for Java that supports deserializing data based solely on type information contained within it. This mechanism can be abused through "deserialization gadgets" to execute attacks on the target system.
Avoid specifying unsafe configurations for Jackson deserialization.
Biometric authentication should not be performed without an associated CryptoObject
value.
This code stores a reference to an externally mutable object into a static field. If unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. It may be possible for external code to inspect or change the value of the static field by holding a reference to it after passing it to this class.
A mutable static field could be changed by malicious code or by accident if it is public. The field could be made package protected to avoid this vulnerability.
Be careful when setting bean properties using external data.