Jackson中Json隐式数据类型转换与参数走私分析<\/h1>

0x00 前言<\/h2>
在Java中处理JSON数据时，隐式数据类型转换通常由JSON处理库自动完成。这些库会根据JSON值的格式和上下文推断并转换数据类型。本文以Jackson库为例，深入分析其隐式类型转换机制及可能导致的参数走私问题。<\/p>

0x01 Jackson隐式转换(String->int)过程<\/h2>

基本示例<\/h3>

考虑以下User类定义：<\/p>

public<\/span> class<\/span> User<\/span> {<\/span>
<\/span><\/span>    private<\/span> int<\/span> roleId;<\/span>
<\/span><\/span>
<\/span><\/span>    public<\/span> int<\/span> getRoleId<\/span>()<\/span> {<\/span>
<\/span><\/span>        return<\/span> roleId;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    public<\/span> void<\/span> setRoleId<\/span>(<\/span>int<\/span> roleId)<\/span> {<\/span>
<\/span><\/span>        this<\/span>.<\/span>roleId<\/span> =<\/span> roleId;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>通过@RequestBody<\/code>传递User对象时，Spring Boot默认使用Jackson处理：<\/p>
@RequestMapping<\/span>(<\/span>value =<\/span> "\/create"<\/span>)<\/span>
<\/span><\/span>public<\/span> User demo<\/span>(<\/span>@RequestBody<\/span> User user){<\/span>
<\/span><\/span>    return<\/span> user;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>Jackson在默认情况下，即使JSON中的数字值被引号包围（表示字符串），也能成功转换为int类型的roleId。<\/p>
转换过程分析<\/h3>


初始化阶段<\/strong>：<\/p>
ObjectMapper objectMapper =<\/span> new<\/span> ObjectMapper();<\/span>
<\/span><\/span>objectMapper.<\/span>configure<\/span>(<\/span>DeserializationFeature.<\/span>FAIL_ON_UNKNOWN_PROPERTIES<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span>User user =<\/span> objectMapper.<\/span>readValue<\/span>(<\/span>body,<\/span> User.<\/span>class<\/span>);<\/span>
<\/span><\/span><\/code><\/pre><\/li>

解析流程<\/strong>：<\/p>

调用_readMapAndClose<\/code>方法初始化解析器<\/li>
创建DefaultDeserializationContext<\/code>上下文对象<\/li>
读取JsonToken<\/code>并根据类型处理数据<\/li>
<\/ul>
<\/li>

反序列化处理<\/strong>：<\/p>

通过BeanDeserializer<\/code>的deserialize<\/code>方法处理<\/li>
在vanillaDeserialize<\/code>方法中遍历JSON字段<\/li>
对于int类型属性，使用IntegerDeserializer#deserialize<\/code>处理<\/li>
<\/ul>
<\/li>

字符串到整数的转换<\/strong>：<\/p>

检查JSON Token类型<\/li>
对于字符串Token(VALUE_STRING)，调用_parseIntPrimitive<\/code>方法<\/li>
处理前会调用trim()<\/code>方法清理空格<\/li>
最终通过NumberInput.parseInt<\/code>完成转换<\/li>
<\/ul>
<\/li>
<\/ol>
0x02 参数走私案例<\/h2>
场景描述<\/h3>
应用使用User类的roleId(int类型)表示用户角色类型，同时在拦截器中使用Fastjson处理请求体：<\/p>
Map<<\/span>String,<\/span> Object><\/span> params =<\/span> JSON.<\/span>parseObject<\/span>(<\/span>body,<\/span> HashMap.<\/span>class<\/span>);<\/span>
<\/span><\/span>if<\/span>(<\/span>params.<\/span>get<\/span>(<\/span>"roleId"<\/span>).<\/span>equals<\/span>(<\/span>"1"<\/span>)){<\/span>
<\/span><\/span>    \/\/ 鉴权逻辑
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>利用差异<\/h3>


空格处理差异<\/strong>：<\/p>

Jackson会忽略字符串中的空格<\/li>
Fastjson不会忽略空格<\/li>
<\/ul>
String body =<\/span> "{\"roleId\":\"1 \"}"<\/span>;<\/span>
<\/span><\/span>\/\/ Jackson解析结果为1
<\/span><\/span><\/span>\/\/ Fastjson解析结果为"1 "，不等于"1"
<\/span><\/span><\/span><\/code><\/pre><\/li>

前导零处理<\/strong>：<\/p>

Jackson会忽略数字字符串前导的零<\/li>
Fastjson会保留原始字符串形式<\/li>
<\/ul>
String body =<\/span> "{\"roleId\":\"00001\"}"<\/span>;<\/span>
<\/span><\/span>\/\/ Jackson解析结果为1
<\/span><\/span><\/span>\/\/ Fastjson解析结果为"00001"
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ol>
攻击向量<\/h3>
通过构造特殊格式的JSON，利用不同解析器的处理差异绕过安全检测：<\/p>
{
<\/span><\/span>    "roleId"<\/span>: "1 "<\/span>  \/\/ 带空格的字符串
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>或<\/p>
{
<\/span><\/span>    "roleId"<\/span>: "00001"<\/span>  \/\/ 带前导零的字符串
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>0x03 其他类型处理<\/h2>
long类型处理<\/h3>
_parseLongPrimitive<\/code>方法同样会：<\/p>

忽略字符串中的空格<\/li>
处理前导零<\/li>
支持从字符串到long的隐式转换<\/li>
<\/ul>
double类型处理<\/h3>
类似地，double类型的处理也会：<\/p>

自动清理字符串中的空格<\/li>
完成字符串到double的转换<\/li>
<\/ul>
Gson的类似行为<\/h3>
Gson库也存在类似的隐式转换逻辑：<\/p>
String body =<\/span> "{\"roleId\":\"123456789 \"}"<\/span>;<\/span>
<\/span><\/span>Gson gson =<\/span> new<\/span> Gson();<\/span>
<\/span><\/span>User user =<\/span> gson.<\/span>fromJson<\/span>(<\/span>body,<\/span> User.<\/span>class<\/span>);<\/span>
<\/span><\/span>\/\/ 解析结果为123456789
<\/span><\/span><\/span><\/code><\/pre>防御建议<\/h2>

统一JSON解析器<\/strong>：确保应用各层使用相同的JSON处理库<\/li>
严格类型检查<\/strong>：在拦截器中明确检查数据类型<\/li>
输入规范化<\/strong>：对输入值进行trim等规范化处理<\/li>
使用严格模式<\/strong>：配置解析器不自动进行类型转换<\/li>
白名单验证<\/strong>：对关键字段进行严格的白名单验证<\/li>
<\/ol>
总结<\/h2>
Jackson等JSON库的隐式类型转换机制虽然提供了便利，但也带来了潜在的安全风险。特别是在混合使用不同JSON库或存在安全检测逻辑时，可能被利用进行参数走私攻击。开发者应当充分了解所使用的JSON库的行为特性，并在安全关键路径上进行严格的数据验证。<\/p>

Jackson中Json隐式数据类型转换与参数走私分析<\/h1>

0x00 前言<\/h2> 在Java中处理JSON数据时，隐式数据类型转换通常由JSON处理库自动完成。这些库会根据JSON值的格式和上下文推断并转换数据类型。本文以Jackson库为例，深入分析其隐式类型转换机制及可能导致的参数走私问题。<\/p>

0x01 Jackson隐式转换(String->int)过程<\/h2>

0x02 参数走私案例<\/h2>

0x03 其他类型处理<\/h2>

0x00 前言<\/h2>
在Java中处理JSON数据时，隐式数据类型转换通常由JSON处理库自动完成。这些库会根据JSON值的格式和上下文推断并转换数据类型。本文以Jackson库为例，深入分析其隐式类型转换机制及可能导致的参数走私问题。<\/p>