Fastjson

Fastjson Component is a deserialization and serialization component developed by Alibaba .Fastjson Provides deserialization , Allow users to enter JSON String through “@type” Key corresponding value Specify any deserialized class name

Fastjson The custom deserialization mechanism will use reflection to generate the instantiated object of the above specified class , And automatically call the... Of the object setter Methods and parts getter Method . Malicious requests can be constructed by attackers , Make the code execution process of the target application enter this specific part setter or getter Method , If the above method has logic that can be maliciously exploited （ namely Gadget）, The attack path prepared by the attacker will be reproduced . The official uses the blacklist method to verify the deserialized class name , But with the passage of time and the improvement of automatic vulnerability mining ability . new Gadget Will continue to emerge , Blacklists, which treat the symptoms but not the root causes, will only lead to constant bypassing , Thus, users who use this component are troubled by constantly upgrading the version

rely on example

<dependencies>
   <dependency>
       <groupId>com.alibaba</groupId>
       <artifactId>fastjson</artifactId>
       <version>1.2.23</version>
   </dependency>
</dependencies>