Potential vulnerability in JSON deserialization

## Current behavior
Jodd's Json parser supports polymorphic deserialization when setClassMetadataName is set.
If an application parses JSON with this configuration from an untrusted source, it could lead to remote code execution.
The problem is quite the same as in other Java JSON libraries.
Here you can read more:
- https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://github.com/mbechler/marshalsec/blob/master/marshalsec.pdf

## Expected behavior
At least, you should mention security-implication of usage setClassMetadataName, similar to  [Jackson databind](https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization#111-security-risks-using-global-default-typing)


## Steps to Reproduce the Problem
If necessary, I could send an example of JSON which lead to RCE

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Potential vulnerability in JSON deserialization #628

Current behavior

Expected behavior

Steps to Reproduce the Problem

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Potential vulnerability in JSON deserialization #628

Description

Current behavior

Expected behavior

Steps to Reproduce the Problem

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions