GH-1483: Trust target class sub-packages

Resolves #1483
spring-projects · May 11, 2020 · 05e56ad · 05e56ad
1 parent be3c642
commit 05e56ad
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 2 deletions.
diff --git a/.../main/java/org/springframework/kafka/support/converter/DefaultJackson2JavaTypeMapper.java b/.../main/java/org/springframework/kafka/support/converter/DefaultJackson2JavaTypeMapper.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2017-2019 the original author or authors.
+ * Copyright 2017-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,6 +26,7 @@
 import org.springframework.messaging.converter.MessageConversionException;
 import org.springframework.util.Assert;
 import org.springframework.util.ClassUtils;
+import org.springframework.util.PatternMatchUtils;
 
 import com.fasterxml.jackson.databind.JavaType;
 import com.fasterxml.jackson.databind.type.TypeFactory;
@@ -149,7 +150,7 @@ private boolean isTrustedPackage(String requestedType) {
 		if (!this.trustedPackages.isEmpty()) {
 			String packageName = ClassUtils.getPackageName(requestedType).replaceFirst("\\[L", "");
 			for (String trustedPackage : this.trustedPackages) {
-				if (packageName.equals(trustedPackage)) {
+				if (PatternMatchUtils.simpleMatch(trustedPackage, packageName)) {
 					return true;
 				}
 			}

diff --git a/...ng-kafka/src/main/java/org/springframework/kafka/support/serializer/JsonDeserializer.java b/...ng-kafka/src/main/java/org/springframework/kafka/support/serializer/JsonDeserializer.java
@@ -419,6 +419,7 @@ private void addTargetPackageToTrusted() {
 		String targetPackageName = getTargetPackageName();
 		if (targetPackageName != null) {
 			doAddTrustedPackages(targetPackageName);
+			doAddTrustedPackages(targetPackageName + ".*");
 		}
 	}
 

diff --git a/...ka/src/test/java/org/springframework/kafka/support/serializer/JsonSerializationTests.java b/...ka/src/test/java/org/springframework/kafka/support/serializer/JsonSerializationTests.java
@@ -20,6 +20,7 @@
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
 
+import java.io.IOException;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
@@ -44,6 +45,8 @@
 import com.fasterxml.jackson.core.JsonParseException;
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.JavaType;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.type.TypeFactory;
 
 /**
@@ -221,6 +224,19 @@ void testDeserializerTypeReference() {
 		de.close();
 	}
 
+	@Test
+	void jsonNode() throws IOException {
+		JsonSerializer<Object> ser = new JsonSerializer<>();
+		JsonDeserializer<JsonNode> de = new JsonDeserializer<>();
+		de.configure(Collections.singletonMap(JsonDeserializer.VALUE_DEFAULT_TYPE, JsonNode.class), false);
+		DummyEntity dummy = new DummyEntity();
+		byte[] serialized = ser.serialize("foo", dummy);
+		JsonNode node = new ObjectMapper().reader().readTree(serialized);
+		Headers headers = new RecordHeaders();
+		serialized = ser.serialize("foo", headers, node);
+		de.deserialize("foo", headers, serialized);
+	}
+
 	@Test
 	void testPreExistingHeaders() {
 		JsonSerializer<? super Foo> ser = new JsonSerializer<>();