Skip to content

Commit

Permalink
Fix #1737
Browse files Browse the repository at this point in the history
  • Loading branch information
cowtowncoder committed Aug 17, 2017
1 parent 6cd5be9 commit ddfddfb
Show file tree
Hide file tree
Showing 3 changed files with 100 additions and 6 deletions.
1 change: 1 addition & 0 deletions release-notes/VERSION
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ Project: jackson-databind
#1711: Delegating creator fails to work for binary data (`byte[]`) with
binary formats (CBOR, Smile)
#1735: Missing type checks when using polymorphic type ids
#1737: Block more JDK types from polymorphic deserialization

2.8.9 (12-Jun-2017)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ public class BeanDeserializerFactory
static {
Set<String> s = new HashSet<>();
// Courtesy of [https://github.com/kantega/notsoserial]:
// (and wrt [databind#1599]
// (and wrt [databind#1599])
s.add("org.apache.commons.collections.functors.InvokerTransformer");
s.add("org.apache.commons.collections.functors.InstantiateTransformer");
s.add("org.apache.commons.collections4.functors.InvokerTransformer");
Expand All @@ -61,6 +61,15 @@ public class BeanDeserializerFactory
s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
// [databind#1680]: may or may not be problem, take no chance
s.add("com.sun.rowset.JdbcRowSetImpl");
// [databind#1737]; JDK provided
s.add("java.util.logging.FileHandler");
s.add("java.rmi.server.UnicastRemoteObject");
// [databind#1737]; 3rd party
s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");

DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}

Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
package com.fasterxml.jackson.databind.interop;

import com.fasterxml.jackson.annotation.JsonTypeInfo;
import com.fasterxml.jackson.databind.*;

/**
Expand All @@ -12,12 +13,29 @@ static class Bean1599 {
public int id;
public Object obj;
}

static class PolyWrapper {
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS,
include = JsonTypeInfo.As.WRAPPER_ARRAY)
public Object v;
}

public void testIssue1599() throws Exception
/*
/**********************************************************
/* Unit tests
/**********************************************************
*/

private final ObjectMapper MAPPER = objectMapper();

// // // Tests for [databind#1599]

public void testXalanTypes1599() throws Exception
{
final String clsName = "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl";
final String JSON = aposToQuotes(
"{'id': 124,\n"
+" 'obj':[ 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl',\n"
+" 'obj':[ '"+clsName+"',\n"
+" {\n"
+" 'transletBytecodes' : [ 'AAIAZQ==' ],\n"
+" 'transletName' : 'a.b',\n"
Expand All @@ -32,9 +50,75 @@ public void testIssue1599() throws Exception
mapper.readValue(JSON, Bean1599.class);
fail("Should not pass");
} catch (JsonMappingException e) {
verifyException(e, "Illegal type");
verifyException(e, "to deserialize");
verifyException(e, "prevented for security reasons");
_verifySecurityException(e, clsName);
}
}

// // // Tests for [databind#1737]

public void testJDKTypes1737() throws Exception
{
_testTypes1737(java.util.logging.FileHandler.class);
_testTypes1737(java.rmi.server.UnicastRemoteObject.class);
}

// 17-Aug-2017, tatu: Ideally would test handling of 3rd party types, too,
// but would require adding dependencies. This may be practical when
// checking done by module, but for now let's not do that for databind.

/*
public void testSpringTypes1737() throws Exception
{
_testTypes1737("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
_testTypes1737("org.springframework.beans.factory.config.PropertyPathFactoryBean");
}
public void testC3P0Types1737() throws Exception
{
_testTypes1737("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
_testTypes1737("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
}
*/

private void _testTypes1737(Class<?> nasty) throws Exception {
_testTypes1737(nasty.getName());
}

private void _testTypes1737(String clsName) throws Exception
{
// While usually exploited via default typing let's not require
// it here; mechanism still the same
String json = aposToQuotes(
"{'v':['"+clsName+"','/tmp/foobar.txt']}"
);
try {
MAPPER.readValue(json, PolyWrapper.class);
fail("Should not pass");
} catch (JsonMappingException e) {
_verifySecurityException(e, clsName);
}
}

protected void _verifySecurityException(Throwable t, String clsName) throws Exception
{
// 17-Aug-2017, tatu: Expected type more granular in 2.9 (over 2.8)
_verifyException(t, JsonMappingException.class,
"Illegal type",
"to deserialize",
"prevented for security reasons");
verifyException(t, clsName);
}

protected void _verifyException(Throwable t, Class<?> expExcType,
String... patterns) throws Exception
{
Class<?> actExc = t.getClass();
if (!expExcType.isAssignableFrom(actExc)) {
fail("Expected Exception of type '"+expExcType.getName()+"', got '"
+actExc.getName()+"', message: "+t.getMessage());
}
for (String pattern : patterns) {
verifyException(t, pattern);
}
}
}

0 comments on commit ddfddfb

Please sign in to comment.