From f031f27a31625d07922bdd090664c69544200a5d Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Tue, 12 Dec 2017 17:15:56 -0800 Subject: [PATCH] Fix 1/3 of #1855 --- release-notes/VERSION | 1 + .../deser/BeanDeserializerFactory.java | 4 ++- .../interop/IllegalTypesCheckTest.java | 25 ++++++++++++------- 3 files changed, 20 insertions(+), 10 deletions(-) diff --git a/release-notes/VERSION b/release-notes/VERSION index cdfc1234b4..07c9c69e45 100644 --- a/release-notes/VERSION +++ b/release-notes/VERSION @@ -12,6 +12,7 @@ Project: jackson-databind (reported by Villane@github) #1680: Blacklist couple more types for deserialization #1737: Block more JDK types from polymorphic deserialization +#1855: (partial) Blacklist for more serialization gadgets (dbcp/tomcat) 2.7.9.1 (18-Apr-2017) diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java index 74af716b41..217ffd9c62 100644 --- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java +++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java @@ -68,7 +68,9 @@ public class BeanDeserializerFactory s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean"); s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); - + // [databind#1855]: more 3rd party + s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource"); + s.add("com.sun.org.apache.bcel.internal.util.ClassLoader"); DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); } diff --git a/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java b/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java index 8721b9b6ab..0581242217 100644 --- a/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java +++ b/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java @@ -58,8 +58,15 @@ public void testXalanTypes1599() throws Exception public void testJDKTypes1737() throws Exception { - _testTypes1737(java.util.logging.FileHandler.class); - _testTypes1737(java.rmi.server.UnicastRemoteObject.class); + _testIllegalType(java.util.logging.FileHandler.class); + _testIllegalType(java.rmi.server.UnicastRemoteObject.class); + } + + // // // Tests for [databind#1855] + public void testJDKTypes1855() throws Exception + { + // apparently included by JDK? + _testIllegalType("com.sun.org.apache.bcel.internal.util.ClassLoader"); } // 17-Aug-2017, tatu: Ideally would test handling of 3rd party types, too, @@ -69,22 +76,22 @@ public void testJDKTypes1737() throws Exception /* public void testSpringTypes1737() throws Exception { - _testTypes1737("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); - _testTypes1737("org.springframework.beans.factory.config.PropertyPathFactoryBean"); + _testIllegalType("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); + _testIllegalType("org.springframework.beans.factory.config.PropertyPathFactoryBean"); } public void testC3P0Types1737() throws Exception { - _testTypes1737("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); - _testTypes1737("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); + _testIllegalType("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); + _testIllegalType("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); } */ - private void _testTypes1737(Class nasty) throws Exception { - _testTypes1737(nasty.getName()); + private void _testIllegalType(Class nasty) throws Exception { + _testIllegalType(nasty.getName()); } - private void _testTypes1737(String clsName) throws Exception + private void _testIllegalType(String clsName) throws Exception { // While usually exploited via default typing let's not require // it here; mechanism still the same