Fix #1737 on 2.6 (#1945)

Author: derekstraka

release-notes/VERSION

@@ -4,6 +4,9 @@ Project: jackson-databind
 === Releases ===
 ------------------------------------------------------------------------
 
+2.6.7.2 (not yet released)
+#1737: Block more JDK types from polymorphic deserialization
+
 2.6.7.1 (11-Jul-2017)
 
 #1383: Problem with `@JsonCreator` with 1-arg factory-method, implicit param names

src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java

@@ -49,7 +49,7 @@ public class BeanDeserializerFactory
     static {
         Set<String> s = new HashSet<String>();
         // Courtesy of [https://github.com/kantega/notsoserial]:
-        // (and wrt [databind#1599]
+        // (and wrt [databind#1599])
         s.add("org.apache.commons.collections.functors.InvokerTransformer");
         s.add("org.apache.commons.collections.functors.InstantiateTransformer");
         s.add("org.apache.commons.collections4.functors.InvokerTransformer");
@@ -58,6 +58,16 @@ public class BeanDeserializerFactory
         s.add("org.codehaus.groovy.runtime.MethodClosure");
         s.add("org.springframework.beans.factory.ObjectFactory");
         s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
+
+        // [databind#1737]; JDK provided
+        s.add("java.util.logging.FileHandler");
+        s.add("java.rmi.server.UnicastRemoteObject");
+        // [databind#1737]; 3rd party
+        s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
+        s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+        s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+        s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 

src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java

@@ -1,5 +1,6 @@
 package com.fasterxml.jackson.databind.interop;
 
+import com.fasterxml.jackson.annotation.JsonTypeInfo;
 import com.fasterxml.jackson.databind.*;
 
 /**
@@ -13,11 +14,28 @@ static class Bean1599 {
         public Object obj;
     }
 
-    public void testIssue1599() throws Exception
+    static class PolyWrapper {
+        @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS,
+                include = JsonTypeInfo.As.WRAPPER_ARRAY)
+        public Object v;
+    }
+    
+    /*
+    /**********************************************************
+    /* Unit tests
+    /**********************************************************
+     */
+
+    private final ObjectMapper MAPPER = objectMapper();
+    
+    // // // Tests for [databind#1599]
+
+    public void testXalanTypes1599() throws Exception
     {
+        final String clsName = "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl";
         final String JSON = aposToQuotes(
  "{'id': 124,\n"
-+" 'obj':[ 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl',\n"
++" 'obj':[ '"+clsName+"',\n"
 +"  {\n"
 +"    'transletBytecodes' : [ 'AAIAZQ==' ],\n"
 +"    'transletName' : 'a.b',\n"
@@ -32,9 +50,75 @@ public void testIssue1599() throws Exception
             mapper.readValue(JSON, Bean1599.class);
             fail("Should not pass");
         } catch (JsonMappingException e) {
-            verifyException(e, "Illegal type");
-            verifyException(e, "to deserialize");
-            verifyException(e, "prevented for security reasons");
+            _verifySecurityException(e, clsName);
+        }
+    }
+
+    // // // Tests for [databind#1737]
+
+    public void testJDKTypes1737() throws Exception
+    {
+        _testTypes1737(java.util.logging.FileHandler.class);
+        _testTypes1737(java.rmi.server.UnicastRemoteObject.class);
+    }
+
+    // 17-Aug-2017, tatu: Ideally would test handling of 3rd party types, too,
+    //    but would require adding dependencies. This may be practical when
+    //    checking done by module, but for now let's not do that for databind.
+
+    /*
+    public void testSpringTypes1737() throws Exception
+    {
+        _testTypes1737("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
+        _testTypes1737("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+    }
+
+    public void testC3P0Types1737() throws Exception
+    {
+        _testTypes1737("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+        _testTypes1737("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+    }
+    */
+
+    private void _testTypes1737(Class<?> nasty) throws Exception {
+        _testTypes1737(nasty.getName());
+    }
+
+    private void _testTypes1737(String clsName) throws Exception
+    {
+        // While usually exploited via default typing let's not require
+        // it here; mechanism still the same
+        String json = aposToQuotes(
+                "{'v':['"+clsName+"','/tmp/foobar.txt']}"
+                );
+        try {
+            MAPPER.readValue(json, PolyWrapper.class);
+            fail("Should not pass");
+        } catch (JsonMappingException e) {
+            _verifySecurityException(e, clsName);
+        }
+    }
+
+    protected void _verifySecurityException(Throwable t, String clsName) throws Exception
+    {
+        // 17-Aug-2017, tatu: Expected type more granular in 2.9 (over 2.8)
+        _verifyException(t, JsonMappingException.class,
+            "Illegal type",
+            "to deserialize",
+            "prevented for security reasons");
+        verifyException(t, clsName);
+    }
+
+    protected void _verifyException(Throwable t, Class<?> expExcType,
+            String... patterns) throws Exception
+    {
+        Class<?> actExc = t.getClass();
+        if (!expExcType.isAssignableFrom(actExc)) {
+            fail("Expected Exception of type '"+expExcType.getName()+"', got '"
+                    +actExc.getName()+"', message: "+t.getMessage());
+        }
+        for (String pattern : patterns) {
+            verifyException(t, pattern);
         }
     }
 }