Code clean up for JacksonJsonUtils

* Mention `trustedPackages` in the `redis.adoc` **Cherry-pick to 5.3.x, 5.2.x, 5.1.x & 4.3.x**
spring-projects · Jun 9, 2020 · 3499cd6 · 3499cd6
1 parent 02f0c10
commit 3499cd6
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 6 deletions.
diff --git a/...ion-core/src/main/java/org/springframework/integration/support/json/JacksonJsonUtils.java b/...ion-core/src/main/java/org/springframework/integration/support/json/JacksonJsonUtils.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -167,13 +167,13 @@ private static final class WhitelistTypeIdResolver implements TypeIdResolver {
 		WhitelistTypeIdResolver(TypeIdResolver delegate, String... trustedPackages) {
 			this.delegate = delegate;
 			if (trustedPackages != null) {
-				for (String whiteListClass : trustedPackages) {
-					if ("*".equals(whiteListClass)) {
+				for (String whiteListPackage : trustedPackages) {
+					if ("*".equals(whiteListPackage)) {
 						this.trustedPackages.clear();
 						break;
 					}
 					else {
-						this.trustedPackages.add(whiteListClass);
+						this.trustedPackages.add(whiteListPackage);
 					}
 				}
 			}
@@ -224,7 +224,10 @@ public JavaType typeFromId(DatabindContext context, String id) throws IOExceptio
 		private boolean isTrustedPackage(String packageName) {
 			if (!this.trustedPackages.isEmpty()) {
 				for (String trustedPackage : this.trustedPackages) {
-					if (packageName.equals(trustedPackage) || packageName.startsWith(trustedPackage + ".")) {
+					if (packageName.equals(trustedPackage) ||
+							(!packageName.equals("java.util.logging")
+									&& packageName.startsWith(trustedPackage + "."))) {
+
 						return true;
 					}
 				}

diff --git a/src/reference/asciidoc/redis.adoc b/src/reference/asciidoc/redis.adoc
@@ -367,9 +367,11 @@ However, if you want to use a different serialization technique (such as JSON),
 
 Starting with version 4.3.10, the Framework provides Jackson serializer and deserializer implementations for `Message` instances and `MessageHeaders` instances -- `MessageJacksonDeserializer` and `MessageHeadersJacksonSerializer`, respectively.
 They have to be configured with the `SimpleModule` options for the `ObjectMapper`.
-In addition, you should set `enableDefaultTyping` on the `ObjectMapper` to add type information for each serialized complex object.
+In addition, you should set `enableDefaultTyping` on the `ObjectMapper` to add type information for each serialized complex object (if you trust the source).
 That type information is then used during deserialization.
 The framework provides a utility method called `JacksonJsonUtils.messagingAwareMapper()`, which is already supplied with all the previously mentioned properties and serializers.
+This utility method comes with the `trustedPackages` argument to limit Java packages for deserialization to avoid security vulnerabilities.
+The default trusted packages: `java.util`, `java.lang`, `org.springframework.messaging.support`, `org.springframework.integration.support`, `org.springframework.integration.message`, `org.springframework.integration.store`.
 To manage JSON serialization in the `RedisMessageStore`, you must configure it in a fashion similar to the following example:
 
 ====