OWASP Dependency Check

eclipse-scout · Oct 30, 2023 · 8b80574 · 8b80574
1 parent 43a1e51
commit 8b80574
Show file tree

Hide file tree

Showing 13 changed files with 422 additions and 156 deletions.
diff --git a/org.eclipse.scout.migration.ecma6/pom.xml b/org.eclipse.scout.migration.ecma6/pom.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  ~ Copyright (c) 2010-2021 BSI Business Systems Integration AG.
+  ~ Copyright (c) 2010-2023 BSI Business Systems Integration AG.
   ~ All rights reserved. This program and the accompanying materials
   ~ are made available under the terms of the Eclipse Public License v1.0
   ~ which accompanies this distribution, and is available at

diff --git a/...c/test/java/org/eclipse/scout/rt/jackson/dataobject/JsonDataObjectsSerializationTest.java b/...c/test/java/org/eclipse/scout/rt/jackson/dataobject/JsonDataObjectsSerializationTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2021 BSI Business Systems Integration AG.
+ * Copyright (c) 2010-2023 BSI Business Systems Integration AG.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
@@ -105,6 +105,7 @@
 import org.eclipse.scout.rt.platform.util.date.DateUtility;
 import org.eclipse.scout.rt.platform.util.date.StrictSimpleDateFormat;
 import org.eclipse.scout.rt.testing.platform.BeanTestingHelper;
+import org.junit.Assert;
 import org.junit.BeforeClass;
 import org.junit.Test;
 
@@ -1066,7 +1067,7 @@ public void testDeserialize_TestItemDoList() throws Exception {
   public void testDeserialize_TestItemDoListAsObjectList() throws Exception {
     String json = readResourceAsString("TestItemDoList.json");
     // read value as raw DoList without concrete bind type information
-    DoList<TestItemDo> testDo = s_dataObjectMapper.readValue(json, new TypeReference<DoList<Object>>() {
+    DoList<TestItemDo> testDo = s_dataObjectMapper.readValue(json, new TypeReference<DoList<TestItemDo>>() {
     });
     assertEquals("foo", testDo.get(0).getId());
     assertEquals("bar", testDo.get(0).getStringAttribute());
@@ -1915,6 +1916,7 @@ public void testSerializeDeserialize_GenericDoListAttribute() throws Exception {
     assertEquals("foo-id-1", marshalled.getGenericListAttribute().get(0).getId());
 
     // read value with incomplete generic type definition
+    @SuppressWarnings("unchecked")
     TestGenericDo<TestItemDo> marshalled2 = s_dataObjectMapper.readValue(json, new TypeReference<TestGenericDo>() {
     });
     assertEqualsWithComparisonFailure(itemsDo, marshalled2);
@@ -2231,23 +2233,23 @@ public void testDeserialize_Numbers() throws Exception {
     entity = s_dataObjectMapper.readValue(createTestComplexEntityJson("bigDecimalAttribute", "\"123.456\""), TestComplexEntityDo.class);
     assertEquals(new BigDecimal("123.456"), entity.getBigDecimalAttribute());
 
-    assertThrows(JsonParseException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("floatAttribute", "123-456"), TestComplexEntityDo.class));
-    assertThrows(JsonParseException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("floatAttribute", "123-456-100"), TestComplexEntityDo.class));
-    assertThrows(InvalidFormatException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("floatAttribute", "\"123-456\""), TestComplexEntityDo.class));
-    assertThrows(InvalidFormatException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("floatAttribute", "\"10-03-2019\""), TestComplexEntityDo.class));
-    assertThrows(InvalidFormatException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("floatAttribute", "\"123,456\""), TestComplexEntityDo.class));
-
-    assertThrows(JsonParseException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("doublelAttribute", "123-456"), TestComplexEntityDo.class));
-    assertThrows(JsonParseException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("doubleAttribute", "123-456-100"), TestComplexEntityDo.class));
-    assertThrows(InvalidFormatException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("doubleAttribute", "\"123-456\""), TestComplexEntityDo.class));
-    assertThrows(InvalidFormatException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("doubleAttribute", "\"10-03-2019\""), TestComplexEntityDo.class));
-    assertThrows(InvalidFormatException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("doubleAttribute", "\"123,456\""), TestComplexEntityDo.class));
-
-    assertThrows(JsonParseException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("bigDecimalAttribute", "123-456"), TestComplexEntityDo.class));
-    assertThrows(JsonParseException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("bigDecimalAttribute", "123-456-100"), TestComplexEntityDo.class));
-    assertThrows(InvalidFormatException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("bigDecimalAttribute", "\"123-456\""), TestComplexEntityDo.class));
-    assertThrows(InvalidFormatException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("bigDecimalAttribute", "\"10-03-2019\""), TestComplexEntityDo.class));
-    assertThrows(InvalidFormatException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("bigDecimalAttribute", "\"123,456\""), TestComplexEntityDo.class));
+    Assert.assertThrows(JsonParseException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("floatAttribute", "123-456"), TestComplexEntityDo.class));
+    Assert.assertThrows(JsonParseException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("floatAttribute", "123-456-100"), TestComplexEntityDo.class));
+    Assert.assertThrows(InvalidFormatException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("floatAttribute", "\"123-456\""), TestComplexEntityDo.class));
+    Assert.assertThrows(InvalidFormatException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("floatAttribute", "\"10-03-2019\""), TestComplexEntityDo.class));
+    Assert.assertThrows(InvalidFormatException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("floatAttribute", "\"123,456\""), TestComplexEntityDo.class));
+
+    Assert.assertThrows(JsonParseException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("doublelAttribute", "123-456"), TestComplexEntityDo.class));
+    Assert.assertThrows(JsonParseException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("doubleAttribute", "123-456-100"), TestComplexEntityDo.class));
+    Assert.assertThrows(InvalidFormatException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("doubleAttribute", "\"123-456\""), TestComplexEntityDo.class));
+    Assert.assertThrows(InvalidFormatException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("doubleAttribute", "\"10-03-2019\""), TestComplexEntityDo.class));
+    Assert.assertThrows(InvalidFormatException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("doubleAttribute", "\"123,456\""), TestComplexEntityDo.class));
+
+    Assert.assertThrows(JsonParseException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("bigDecimalAttribute", "123-456"), TestComplexEntityDo.class));
+    Assert.assertThrows(JsonParseException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("bigDecimalAttribute", "123-456-100"), TestComplexEntityDo.class));
+    Assert.assertThrows(InvalidFormatException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("bigDecimalAttribute", "\"123-456\""), TestComplexEntityDo.class));
+    Assert.assertThrows(InvalidFormatException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("bigDecimalAttribute", "\"10-03-2019\""), TestComplexEntityDo.class));
+    Assert.assertThrows(InvalidFormatException.class, () -> s_dataObjectMapper.readValue(createTestComplexEntityJson("bigDecimalAttribute", "\"123,456\""), TestComplexEntityDo.class));
   }
 
   protected String createTestComplexEntityJson(String attributeName, String value) {

diff --git a/...ckson/src/main/java/org/eclipse/scout/rt/jackson/dataobject/DataObjectTypeIdResolver.java b/...ckson/src/main/java/org/eclipse/scout/rt/jackson/dataobject/DataObjectTypeIdResolver.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 BSI Business Systems Integration AG.
+ * Copyright (c) 2010-2023 BSI Business Systems Integration AG.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
@@ -10,7 +10,6 @@
  */
 package org.eclipse.scout.rt.jackson.dataobject;
 
-import java.io.IOException;
 import java.util.stream.Collectors;
 
 import org.eclipse.scout.rt.dataobject.DataObjectInventory;
@@ -67,14 +66,14 @@ public String idFromValueAndType(Object value, Class<?> clazz) {
   }
 
   /**
-   * @returns type id to use for serialization of specified class.
+   * @return type id to use for serialization of specified class.
    */
   protected String idFromClass(Class<?> c) {
     return m_dataObjectInventory.get().toTypeName(c);
   }
 
   @Override
-  public JavaType typeFromId(DatabindContext context, String id) throws IOException {
+  public JavaType typeFromId(DatabindContext context, String id) {
     return SimpleType.constructUnsafe(m_dataObjectInventory.get().fromTypeName(id));
   }
 

diff --git a/.../src/main/java/org/eclipse/scout/rt/jackson/dataobject/DataObjectTypeResolverBuilder.java b/.../src/main/java/org/eclipse/scout/rt/jackson/dataobject/DataObjectTypeResolverBuilder.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 BSI Business Systems Integration AG.
+ * Copyright (c) 2010-2023 BSI Business Systems Integration AG.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
@@ -10,22 +10,33 @@
  */
 package org.eclipse.scout.rt.jackson.dataobject;
 
+import java.util.Collection;
+
 import org.eclipse.scout.rt.dataobject.DoEntity;
 import org.eclipse.scout.rt.platform.Bean;
 
+import com.fasterxml.jackson.databind.DeserializationConfig;
 import com.fasterxml.jackson.databind.JavaType;
-import com.fasterxml.jackson.databind.ObjectMapper.DefaultTypeResolverBuilder;
+import com.fasterxml.jackson.databind.SerializationConfig;
+import com.fasterxml.jackson.databind.jsontype.NamedType;
+import com.fasterxml.jackson.databind.jsontype.TypeDeserializer;
+import com.fasterxml.jackson.databind.jsontype.TypeSerializer;
+import com.fasterxml.jackson.databind.jsontype.impl.StdTypeResolverBuilder;
 
 @Bean
-public class DataObjectTypeResolverBuilder extends DefaultTypeResolverBuilder {
-  private static final long serialVersionUID = 1L;
+public class DataObjectTypeResolverBuilder extends StdTypeResolverBuilder {
 
-  public DataObjectTypeResolverBuilder() {
-    super(null); // do not use default typing
+  @Override
+  public TypeDeserializer buildTypeDeserializer(DeserializationConfig config, JavaType baseType, Collection<NamedType> subtypes) {
+    return useForType(baseType) ? super.buildTypeDeserializer(config, baseType, subtypes) : null;
   }
 
   @Override
-  public boolean useForType(JavaType t) {
+  public TypeSerializer buildTypeSerializer(SerializationConfig config, JavaType baseType, Collection<NamedType> subtypes) {
+    return useForType(baseType) ? super.buildTypeSerializer(config, baseType, subtypes) : null;
+  }
+
+  protected boolean useForType(JavaType t) {
     // do not write type information for "raw" DoEntity instances (only concrete instances, without IDoEntity marker interface)
     return !DoEntity.class.equals(t.getRawClass());
   }

diff --git a/...t.jackson/src/main/java/org/eclipse/scout/rt/jackson/dataobject/DoEntityDeserializer.java b/...t.jackson/src/main/java/org/eclipse/scout/rt/jackson/dataobject/DoEntityDeserializer.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 BSI Business Systems Integration AG.
+ * Copyright (c) 2010-2023 BSI Business Systems Integration AG.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
@@ -19,6 +19,7 @@
 import org.eclipse.scout.rt.platform.BEANS;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.slf4j.helpers.MessageFormatter;
 
 import com.fasterxml.jackson.core.JsonParser;
 import com.fasterxml.jackson.core.JsonToken;
@@ -28,6 +29,7 @@
 import com.fasterxml.jackson.databind.JavaType;
 import com.fasterxml.jackson.databind.JsonMappingException;
 import com.fasterxml.jackson.databind.deser.std.StdDeserializer;
+import com.fasterxml.jackson.databind.exc.InvalidFormatException;
 import com.fasterxml.jackson.databind.jsontype.TypeDeserializer;
 import com.fasterxml.jackson.databind.type.TypeFactory;
 import com.fasterxml.jackson.databind.util.TokenBuffer;
@@ -102,7 +104,7 @@ protected IDoEntity deserializeDoEntityAttributes(JsonParser p, DeserializationC
           p = JsonParserSequence.createFlattened(false, tb.asParser(p), p);
         }
         p.nextToken(); // skip type field value
-        return derializeDoEntityAttributes(p, ctxt, entity);
+        return deserializeDoEntityAttributes(p, ctxt, entity);
       }
 
       // lazy create token buffer to cache other fields
@@ -127,10 +129,10 @@ protected IDoEntity deserializeDoEntityAttributes(JsonParser p, DeserializationC
     IDoEntity entity = resolveEntityType(ctxt, null);
     p.setCurrentValue(entity); // set current value after new parser instance was created out of token buffer
 
-    return derializeDoEntityAttributes(p, ctxt, entity);
+    return deserializeDoEntityAttributes(p, ctxt, entity);
   }
 
-  protected IDoEntity derializeDoEntityAttributes(JsonParser p, DeserializationContext ctxt, IDoEntity entity) throws IOException {
+  protected IDoEntity deserializeDoEntityAttributes(JsonParser p, DeserializationContext ctxt, IDoEntity entity) throws IOException {
     // read and deserialize all fields of entity
     for (JsonToken t = p.currentToken(); t == JsonToken.FIELD_NAME; t = p.nextToken()) {
       String attributeName = p.getCurrentName();
@@ -139,12 +141,11 @@ protected IDoEntity derializeDoEntityAttributes(JsonParser p, DeserializationCon
       boolean isObject = p.getCurrentToken() == JsonToken.START_OBJECT;
       ResolvedType attributeType = findResolvedAttributeType(entity, attributeName, isObject, isArray);
       if (attributeType.hasRawClass(DoList.class)) {
-        DoList<?> listValue = p.getCodec().readValue(p, attributeType);
+        DoList<?> listValue = readAttributeValue(p, attributeType, attributeName);
         entity.putNode(attributeName, listValue);
       }
       else {
-        Object value = p.getCodec().readValue(p, attributeType);
-
+        Object value = readAttributeValue(p, attributeType, attributeName);
         // check if reading the 'type version' property
         if (m_moduleContext.getTypeVersionAttributeName().equals(attributeName)) {
           deserializeDoEntityVersionAttribute(entity, attributeName, value);
@@ -157,6 +158,24 @@ protected IDoEntity derializeDoEntityAttributes(JsonParser p, DeserializationCon
     return entity;
   }
 
+  protected <T> T readAttributeValue(JsonParser p, ResolvedType attributeType, String attributeName) throws IOException {
+    try {
+      return p.getCodec().readValue(p, attributeType);
+    }
+    catch (InvalidFormatException e) {
+      // capture exception containing the deserialized value to throw a specific exception message with attribute name and entity class
+      String msg = MessageFormatter.arrayFormat("Failed to deserialize attribute '{}' of entity {}, value was {}", new Object[]{attributeName, handledType().getName(), e.getValue()}).getMessage();
+      InvalidFormatException ife = InvalidFormatException.from(p, msg, e.getValue(), e.getTargetType());
+      ife.addSuppressed(e);
+      throw ife;
+    }
+    catch (IOException e) {
+      // capture generic exception to add at least the attribute name and entity class to the exception message
+      String msg = MessageFormatter.format("Failed to deserialize attribute '{}' of entity {}", attributeName, handledType().getName()).getMessage();
+      throw JsonMappingException.from(p, msg, e);
+    }
+  }
+
   protected void deserializeDoEntityVersionAttribute(IDoEntity entity, String attributeName, Object version) {
     String dataObjectTypeVersion = m_doEntityDeserializerTypeResolver.resolveTypeVersion(entity.getClass());
     if (dataObjectTypeVersion != null) {

diff --git a/...ackson/src/main/java/org/eclipse/scout/rt/jackson/dataobject/JacksonDataObjectMapper.java b/...ackson/src/main/java/org/eclipse/scout/rt/jackson/dataobject/JacksonDataObjectMapper.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 BSI Business Systems Integration AG.
+ * Copyright (c) 2010-2023 BSI Business Systems Integration AG.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
@@ -26,6 +26,7 @@
 import org.eclipse.scout.rt.platform.util.LazyValue;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.MapperFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
 
 /**
@@ -133,7 +134,8 @@ protected ObjectMapper createObjectMapperInstance(boolean ignoreTypeAttribute) {
     prepareScoutDataModuleContext(scoutDataObjectModule.getModuleContext());
     om.registerModule(scoutDataObjectModule);
     om.setDateFormat(new SimpleDateFormat(IValueFormatConstants.DEFAULT_DATE_PATTERN)); // FIXME [9.0] pbz: [JSON] check if it can be moved to ScoutDataObjectModule class
-    om.disableDefaultTyping(); // disabled for security reasons
+    om.deactivateDefaultTyping(); // disabled for security reasons
+    om.enable(MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES); // enabled block-unsafe for security reasons
     return om;
   }
 

diff --git a/....jackson/src/main/java/org/eclipse/scout/rt/jackson/dataobject/ScoutDataObjectModule.java b/....jackson/src/main/java/org/eclipse/scout/rt/jackson/dataobject/ScoutDataObjectModule.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 BSI Business Systems Integration AG.
+ * Copyright (c) 2010-2023 BSI Business Systems Integration AG.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
@@ -94,8 +94,6 @@ public Version version() {
 
   @Override
   public void setupModule(SetupContext context) {
-    prepareScoutDataModuleContext(m_moduleContext);
-
     context.addSerializers(BEANS.get(DataObjectSerializers.class).withModuleContext(m_moduleContext));
     context.addDeserializers(BEANS.get(DataObjectDeserializers.class).withModuleContext(m_moduleContext));
 
@@ -106,18 +104,6 @@ public void setupModule(SetupContext context) {
     context.insertAnnotationIntrospector(BEANS.get(DataObjectAnnotationIntrospector.class).withModuleContext(m_moduleContext));
   }
 
-  /**
-   * Override this method to add custom properties to {@code moduleContext}.
-   * <p>
-   * TODO [11.0] pbz remove this method > consider move {@link #init()} to {@link JacksonDataObjectMapper}
-   *
-   * @deprecated use JacksonDataObjectMapper#prepareScoutDataModuleContext(ScoutDataObjectModuleContext) instead
-   */
-  @Deprecated
-  protected void prepareScoutDataModuleContext(ScoutDataObjectModuleContext moduleContext) {
-    // NOP
-  }
-
   @Override
   public int hashCode() {
     return NAME.hashCode();

diff --git a/.../main/java/org/eclipse/scout/rt/jackson/dataobject/id/QualifiedIIdMapKeyDeserializer.java b/.../main/java/org/eclipse/scout/rt/jackson/dataobject/id/QualifiedIIdMapKeyDeserializer.java
@@ -1,11 +1,15 @@
 /*
- * Copyright (c) BSI Business Systems Integration AG. All rights reserved.
- * http://www.bsiag.com/
+ * Copyright (c) 2010-2023 BSI Business Systems Integration AG.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ *     BSI Business Systems Integration AG - initial API and implementation
  */
 package org.eclipse.scout.rt.jackson.dataobject.id;
 
-import java.io.IOException;
-
 import org.eclipse.scout.rt.dataobject.id.IId;
 import org.eclipse.scout.rt.dataobject.id.IdExternalFormatter;
 import org.eclipse.scout.rt.platform.util.LazyValue;
@@ -22,7 +26,7 @@ public class QualifiedIIdMapKeyDeserializer extends KeyDeserializer {
   protected final LazyValue<IdExternalFormatter> m_idExternalFormatter = new LazyValue<>(IdExternalFormatter.class);
 
   @Override
-  public Object deserializeKey(String key, DeserializationContext ctxt) throws IOException {
+  public Object deserializeKey(String key, DeserializationContext ctxt) {
     return m_idExternalFormatter.get().fromExternalForm(key);
   }
 }