added whitelist for bean deserialization

ant/build-test.xml

@@ -100,7 +100,9 @@ test.run.interop, test.run.jaxrs, test.run.failing, test.run.versions"
     />
     <target name="test.run.main" depends="test.compile">
        <!-- showoutput 'yes' to allow outputting debug msgs... -->
-        <junit fork="no" printsummary="yes" haltonfailure="no" showoutput="yes">
+       <junit fork="no" printsummary="yes" haltonfailure="no" showoutput="yes">
+	   <sysproperty key="jackson.deserialization.whitelist.packages"
+            value="org.codehaus.jackson,java.awt.Point,java.io.File,java.util.concurrent.atomic,java.io.Serializable"/>
             <batchtest fork="no" todir="${dir.test.xmlresults}">
                 <fileset dir="${dir.test.classes}">
                     <!-- Need to exclude inner classes... -->
@@ -129,7 +131,9 @@ test.run.interop, test.run.jaxrs, test.run.failing, test.run.versions"
 
     <target name="test.run.interop" depends="test.compile">
         <!-- for interop tests, yes, we need to fork (classloading issues) -->
-        <junit fork="yes" printsummary="yes" haltonfailure="no" showoutput="yes">
+	<junit fork="yes" printsummary="yes" haltonfailure="no" showoutput="yes">
+	    <sysproperty key="jackson.deserialization.whitelist.packages"
+            	value="org.codehaus.jackson,GBean"/>
             <batchtest fork="no" todir="${dir.test.xmlresults}">
                 <fileset dir="${dir.test.classes}">
                     <exclude name="**/*$*.class"/>
@@ -154,7 +158,9 @@ test.run.interop, test.run.jaxrs, test.run.failing, test.run.versions"
 
     <target name="test.run.jaxrs" depends="test.compile">
         <!-- And finally, minimal testing for jax-rs too -->
-        <junit fork="yes" printsummary="yes" haltonfailure="no" showoutput="yes">
+	<junit fork="yes" printsummary="yes" haltonfailure="no" showoutput="yes">
+	    <sysproperty key="jackson.deserialization.whitelist.packages"
+                value="org.codehaus.jackson"/>
             <batchtest fork="no" todir="${dir.test.xmlresults}">
                 <fileset dir="${dir.test.classes}">
                     <exclude name="**/*$*.class"/>

src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java

@@ -31,6 +31,18 @@ public class BeanDeserializerFactory
      */
     private final static Class<?>[] INIT_CAUSE_PARAMS = new Class<?>[] { Throwable.class };
 
+
+    protected final static Set<String> ALLOW_DESER_PACKAGES;
+
+    static {
+	    String strlist = System.getProperty("jackson.deserialization.whitelist.packages");
+	    Set<String> s = new HashSet<String>();
+	    if(strlist != null)
+		    s = new HashSet<String>(Arrays.asList(strlist.split(",")));
+	    ALLOW_DESER_PACKAGES = Collections.unmodifiableSet(s);
+    }
+
+
     /*
     /**********************************************************
     /* Config class implementation
@@ -632,10 +644,32 @@ public JsonDeserializer<Object> createBeanDeserializer(DeserializationConfig con
         if (!isPotentialBeanType(type.getRawClass())) {
             return null;
         }
+
+	//Don't allow dangerous deserialization without a whitelist
+	//https://github.com/mbechler/marshalsec/blob/master/marshalsec.pdf
+	checkLegalTypes(type);
+
         // Use generic bean introspection to build deserializer
         return buildBeanDeserializer(config, type, beanDesc, property);
     }
 
+    protected void checkLegalTypes(JavaType type) throws JsonMappingException {
+	String full = type.getRawClass().getName();
+	Iterator<String> iter = ALLOW_DESER_PACKAGES.iterator();
+
+	boolean pass = false;
+	while(iter.hasNext()){
+		if(full.startsWith(iter.next())){
+			pass = true;
+			break;
+		}
+	}
+	if(!pass)
+		throw new JsonMappingException(
+				String.format("Illegal type (%s) to deserialize: prevented for security reasons", full));
+
+    }
+
     /**
      * Method that will find abstract type mapping for specified type, doing a single
      * lookup through registered abstract type resolvers; will not do recursive lookups.