Merge pull request #23 from CJSCommonPlatform/upgrade-jackson

Upgrade Jackson to 2.8.11 to fix Jackson security issues
CJSCommonPlatform · May 17, 2018 · 62dad72 · 62dad72
2 parents 6e6a60e + 9af36f9
commit 62dad72
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 12 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,9 @@ on [Keep a CHANGELOG](http://keepachangelog.com/). This project adheres to
 
 ## [Unreleased]
 
+## [1.13.1] - 2018-05-17
+- Upgrade Jackson to 2.8.11 to fix Jackson security issues 
+
 ## [1.13.0] - 2018-04-13
 
 ### Added

diff --git a/pom.xml b/pom.xml
@@ -22,9 +22,8 @@
 
     <properties>
         <cpp.repo.name>utilities</cpp.repo.name>
-
-        <common-bom.version>1.24.0</common-bom.version>
-        <test-utils.version>1.15.0</test-utils.version>
+        <common-bom.version>1.26.0</common-bom.version>
+        <test-utils.version>1.17.2</test-utils.version>
     </properties>
 
     <scm>

diff --git a/...ervices/common/converter/jackson/additionalproperties/AdditionalPropertiesSerializer.java b/...ervices/common/converter/jackson/additionalproperties/AdditionalPropertiesSerializer.java
@@ -5,26 +5,35 @@
 import java.io.IOException;
 import java.lang.reflect.Field;
 import java.util.Map;
+import java.util.Set;
 
 import com.fasterxml.jackson.core.JsonGenerator;
 import com.fasterxml.jackson.databind.SerializerProvider;
 import com.fasterxml.jackson.databind.ser.impl.ObjectIdWriter;
 import com.fasterxml.jackson.databind.ser.std.BeanSerializerBase;
 
-
 public class AdditionalPropertiesSerializer extends BeanSerializerBase {
 
+
+    // deprecated as the super constructor is deprecated.
+    // TODO remove this constructor and use the non deprecated version
+    @Deprecated
     public AdditionalPropertiesSerializer(final BeanSerializerBase source, final String[] toIgnore) {
         super(source, toIgnore);
     }
 
+    // Use this constructor from now on
+    public AdditionalPropertiesSerializer(final BeanSerializerBase source, final Set<String> toIgnore) {
+        super(source, toIgnore);
+    }
+
     @Override
     public BeanSerializerBase withObjectIdWriter(final ObjectIdWriter objectIdWriter) {
         throw new UnsupportedOperationException();
     }
 
     @Override
-    public BeanSerializerBase withIgnorals(final String[] toIgnore) {
+    public BeanSerializerBase withIgnorals(final Set<String> toIgnore) {
         throw new UnsupportedOperationException();
     }
 

diff --git a/...ces/common/converter/jackson/additionalproperties/AdditionalPropertiesSerializerTest.java b/...ces/common/converter/jackson/additionalproperties/AdditionalPropertiesSerializerTest.java
@@ -1,6 +1,7 @@
 package uk.gov.justice.services.common.converter.jackson.additionalproperties;
 
 import static com.google.common.base.CharMatcher.any;
+import static com.google.common.collect.Sets.newHashSet;
 import static org.mockito.Matchers.anyObject;
 import static org.mockito.Matchers.anyString;
 import static org.mockito.Mockito.doThrow;
@@ -13,6 +14,7 @@
 
 import java.io.IOException;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Map;
 
 import com.fasterxml.jackson.core.JsonGenerator;
@@ -44,11 +46,11 @@ public class AdditionalPropertiesSerializerTest {
 
     @Before
     public void setup() {
-        additionalPropertiesSerializer
-                = new AdditionalPropertiesSerializer(dummySerializer,
-                new String[]{ADDITIONAL_PROPERTIES_NAME});
+        additionalPropertiesSerializer = new AdditionalPropertiesSerializer(
+                dummySerializer,
+                newHashSet(ADDITIONAL_PROPERTIES_NAME));
 
-        when(serializerProviderMock.mappingException(anyString(), anyObject())).thenReturn(new JsonMappingException(""));
+        when(serializerProviderMock.mappingException(anyString(), anyObject())).thenReturn(new JsonMappingException(null, ""));
     }
 
     @Test
@@ -96,7 +98,7 @@ public void shouldThrowExceptionThroughSerializerProviderWhenJsonGeneratorThrows
 
         try {
             additionalPropertiesSerializer.serialize(person, jsonGeneratorMock, serializerProviderMock);
-        } catch (final IOException ioex) {
+        } catch (final IOException expected) {
             // Expected
         }
 
@@ -111,7 +113,7 @@ public void shouldThrowExceptionThroughSerializerProviderWhenNoAdditionalPropert
 
         try {
             additionalPropertiesSerializer.serialize(person, jsonGeneratorMock, serializerProviderMock);
-        } catch (final IOException ioex) {
+        } catch (final IOException expected) {
             // Expected
         }
 
@@ -125,7 +127,7 @@ public void shouldReturnUnsupportedOperationExceptionFromWithObjectIdWriter() {
 
     @Test(expected = UnsupportedOperationException.class)
     public void shouldReturnUnsupportedOperationExceptionFromWithIgnorals() {
-        additionalPropertiesSerializer.withIgnorals(new String[0]);
+        additionalPropertiesSerializer.withIgnorals(new HashSet<>());
     }
 
     @Test(expected = UnsupportedOperationException.class)