Skip to content

Commit

Permalink
Merge branch '2.8' into 2.9
Browse files Browse the repository at this point in the history
  • Loading branch information
cowtowncoder committed Feb 11, 2018
2 parents 4a2d8f4 + c921f09 commit e66c0a9
Show file tree
Hide file tree
Showing 4 changed files with 40 additions and 14 deletions.
2 changes: 2 additions & 0 deletions release-notes/VERSION-2.x
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ Project: jackson-databind
#1912: `BeanDeserializerModifier.updateBuilder()` not work to set custom
deserializer on a property (since 2.9.0)
(contributed by Deblock T)
#1931: Two more `c3p0` gadgets to exploit default typing issue

2.9.4 (24-Jan-2018)

Expand Down Expand Up @@ -213,6 +214,7 @@ Project: jackson-databind
(reported by Rob W)
#1899: Another two gadgets to exploit default typing issue in jackson-databind
(reported by OneSourceCat@github)
#1931: Two more `c3p0` gadgets to exploit default typing issue

2.8.11 (24-Dec-2017)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,10 @@
*/
public class SubTypeValidator
{
protected final static String PREFIX_STRING = "org.springframework.";
protected final static String PREFIX_SPRING = "org.springframework.";

protected final static String PREFIX_C3P0 = "com.mchange.v2.c3p0.";

/**
* Set of well-known "nasty classes", deserialization of which is considered dangerous
* and should (and is) prevented by default.
Expand All @@ -46,8 +49,9 @@ public class SubTypeValidator
// [databind#1737]; 3rd party
//s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");

// s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
// s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
// [databind#1855]: more 3rd party
s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
Expand Down Expand Up @@ -86,8 +90,10 @@ public void validateSubType(DeserializationContext ctxt, JavaType type,
// 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling
// for some Spring framework types
// 05-Jan-2017, tatu: ... also, only applies to classes, not interfaces
if (!raw.isInterface() && full.startsWith(PREFIX_STRING)) {
for (Class<?> cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()) {
if (raw.isInterface()) {
;
} else if (full.startsWith(PREFIX_SPRING)) {
for (Class<?> cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()){
String name = cls.getSimpleName();
// looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
if ("AbstractPointcutAdvisor".equals(name)
Expand All @@ -96,6 +102,16 @@ public void validateSubType(DeserializationContext ctxt, JavaType type,
break main_check;
}
}
} else if (full.startsWith(PREFIX_C3P0)) {
// [databind#1737]; more 3rd party
// s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
// s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
// [databind#1931]; more 3rd party
// com.mchange.v2.c3p0.ComboPooledDataSource
// com.mchange.v2.c3p0.debug.AfterCloseLoggingComboPooledDataSource
if (full.endsWith("DataSource")) {
break main_check;
}
}
return;
} while (false);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
import com.fasterxml.jackson.databind.*;
import com.fasterxml.jackson.databind.exc.InvalidDefinitionException;

import com.mchange.v2.c3p0.jacksontest.ComboPooledDataSource;

/**
* Test case(s) to guard against handling of types that are illegal to handle
* due to security constraints.
Expand Down Expand Up @@ -38,7 +40,7 @@ static class Authentication1872 {
*/

private final ObjectMapper MAPPER = objectMapper();

// // // Tests for [databind#1599]

public void testXalanTypes1599() throws Exception
Expand Down Expand Up @@ -86,34 +88,34 @@ public void testJDKTypes1855() throws Exception

// 17-Aug-2017, tatu: Ideally would test handling of 3rd party types, too,
// but would require adding dependencies. This may be practical when
// checking done by module, but for now let's not do that for databind.
// checking done by separate module, but for now let's not do that for databind.

/*
public void testSpringTypes1737() throws Exception
{
_testIllegalType("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
_testIllegalType("org.springframework.beans.factory.config.PropertyPathFactoryBean");
}
public void testC3P0Types1737() throws Exception
{
_testTypes1737("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
_testTypes1737("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
}
*/

// // // Tests for [databind#1872]
public void testJDKTypes1872() throws Exception
{
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL, JsonTypeInfo.As.PROPERTY);

String json = aposToQuotes(String.format("{'@class':'%s','authorities':['java.util.ArrayList',[]]}",
Authentication1872.class.getName()));
Authentication1872 result = mapper.readValue(json, Authentication1872.class);
assertNotNull(result);
}

// [databind#1931]
public void testC3P0Types() throws Exception
{
_testIllegalType(ComboPooledDataSource.class); // [databind#1931]
}

private void _testIllegalType(Class<?> nasty) throws Exception {
_testIllegalType(nasty.getName());
}
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
package com.mchange.v2.c3p0.jacksontest;

// test class for [databind#1931]
public class ComboPooledDataSource {

}

0 comments on commit e66c0a9

Please sign in to comment.