Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spotbugs + Java: may expose internal representation by storing an externally mutable object into objectMapper #1382

Closed
patpatpat123 opened this issue Jan 9, 2025 · 4 comments
Closed

Spotbugs + Java: may expose internal representation by storing an externally mutable object into objectMapper #1382

patpatpat123 opened this issue Jan 9, 2025 · 4 comments

Comments

@patpatpat123
Copy link

Hello team,

Since this is my first issue from 2025, just wanted to start by wishing you a happy new year and the best for 2025.

Wanted to reach out regarding an issue reported by spot bugs: "may expose internal representation by storing an externally mutable object into objectMapper"

We are using SpringBoot, and in many of our classes, we have this construct:

@Service
public final class SomeService {

    @Autowired ObjectMapper objectMapper;

    public SomeService(...

This would be flagged with

MALICIOUS_CODE	[EI_EXPOSE_REP2](https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#EI_EXPOSE_REP2)

"may expose internal representation by storing an externally mutable object into objectMapper"

Could you please help fix this vulnerability?

Thank you for your time
@pjfanning
Copy link
Member

pjfanning commented Jan 9, 2025
edited
Loading

This issue is not a Jackson issue. It is a problem with your code. Try making the objectMapper private. Contact the spotbugs community to see if they have other suggestions.

@cowtowncoder
Copy link
Member

@patpatpat123 Going forward you would want to reach out on Spring Boot forums for issues like this; as @pjfanning suggested this has little to do with Jackson based on output you shared.

@pjfanning
Copy link
Member

https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html#ei2-may-expose-internal-representation-by-incorporating-reference-to-mutable-object-ei-expose-rep2

Suggests that it is not a great idea to share an ObjectMapper instance across various classes because one of those might mutate the configuration of the ObjectMapper instance - and this would affect other classes that had access to the same instance.

You would be better off sharing (autowiring) ObjectReader and ObjectWriter instances. This can't be mutated. If you call an API to change the config of an ObjectReader or ObjectWriter, you are returned a new instance that has the modified config.

You may need to update your Dependency Injection code to inject an ObjectReader instance and/or ObjectWriter instance. They can be created using an ObjectMapper instance.

@patpatpat123
Copy link
Author

Thank you all for your answers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cowtowncoder @pjfanning @patpatpat123