Fix #4656: prevent ClassCastException from DeserializationProblemHandler.handleUnexpectedToken() (#5164)

Author: cowtowncoder

release-notes/VERSION-2.x

@@ -12,6 +12,8 @@ Project: jackson-databind
  (contributed by Giulio L)
 #4136: Drop deprecated (in 2.12) `PropertyNamingStrategy` implementations
   from 2.20
+#4656: `DeserializationProblemHandler.handleUnexpectedToken()` cast Object to String
+ (reported by @yacine-pc)
 #5103: Use `writeStartObject(Object forValue, int size)` for `ObjectNode`
   serialization
 #5151: Add new exception type, `MissingInjectValueException`, to be used

src/main/java/com/fasterxml/jackson/databind/DeserializationContext.java

@@ -968,17 +968,22 @@ public Calendar constructCalendar(Date d) {
      * Method to call in case incoming shape is Object Value (and parser thereby
      * points to {@link com.fasterxml.jackson.core.JsonToken#START_OBJECT} token),
      * but a Scalar value (potentially coercible from String value) is expected.
-     * This would typically be used to deserializer a Number, Boolean value or some other
+     * This would typically be used to deserialize a Number, Boolean value or some other
      * "simple" unstructured value type.
+     *<p>
+     * Note that expected behavior in case of extraction not succeeding changed in
+     * Jackson 2.20: now {@code null} is expected to be returned in that case (in 2.19
+     * and before, exception was to be thrown, but this prevented fallback handling
+     * via {@link DeserializationProblemHandler#handleUnexpectedToken}.
      *
      * @param p Actual parser to read content from
      * @param deser Deserializer that needs extracted String value
      * @param scalarType Immediate type of scalar to extract; usually type deserializer
      *    handles but not always (for example, deserializer for {@code int[]} would pass
      *    scalar type of {@code int})
      *
-     * @return String value found; not {@code null} (exception should be thrown if no suitable
-     *     value found)
+     * @return String value found, if any; {@code null} if none (note: changed in 2.20;
+     *   before that in 2.19 and before exception throwing was expected)
      *
      * @throws IOException If there are problems either reading content (underlying parser
      *    problem) or finding expected scalar value
@@ -987,7 +992,10 @@ public String extractScalarFromObject(JsonParser p, JsonDeserializer<?> deser,
             Class<?> scalarType)
         throws IOException
     {
-        return (String) handleUnexpectedToken(scalarType, p);
+        // 17-May-2025, tatu: [databind#4656] must NOT call `handleUnexpectedToken`
+        //    since that can return value other than {@code String}
+        //return (String) handleUnexpectedToken(scalarType, p);
+        return null;
     }
 
     /*

src/main/java/com/fasterxml/jackson/databind/deser/std/EnumDeserializer.java

@@ -285,8 +285,12 @@ public Object deserialize(JsonParser p, DeserializationContext ctxt) throws IOEx
         }
         // 29-Jun-2020, tatu: New! "Scalar from Object" (mostly for XML)
         if (p.isExpectedStartObjectToken()) {
-            return _fromString(p, ctxt,
-                    ctxt.extractScalarFromObject(p, this, _valueClass));
+            String str = ctxt.extractScalarFromObject(p, this, _valueClass);
+            // 17-May-2025, tatu: [databind#4656] need to check for `null`
+            if (str == null) {
+                return ctxt.handleUnexpectedToken(_enumClass(), p);
+            }
+            return _fromString(p, ctxt, str);
         }
         return _deserializeOther(p, ctxt);
     }

src/main/java/com/fasterxml/jackson/databind/deser/std/FactoryBasedEnumDeserializer.java

@@ -190,6 +190,10 @@ public Object deserialize(JsonParser p, DeserializationContext ctxt) throws IOEx
             //   https://github.com/FasterXML/jackson-databind/issues/4807
             if (t == JsonToken.START_OBJECT) {
                 value = ctxt.extractScalarFromObject(p, this, _valueClass);
+                // 17-May-2025, tatu: [databind#4656] need to check for `null`
+                if (value == null) {
+                    return ctxt.handleUnexpectedToken(_valueClass, p);
+                }
             } else if ((t == null) || !t.isScalarValue()) {
                 // Could argue we should throw an exception but...
                 // 01-Jun-2023, tatu: And now we will finally do it!

src/main/java/com/fasterxml/jackson/databind/deser/std/FromStringDeserializer.java

@@ -154,6 +154,10 @@ public T deserialize(JsonParser p, DeserializationContext ctxt) throws IOExcepti
             }
             // 29-Jun-2020, tatu: New! "Scalar from Object" (mostly for XML)
             text = ctxt.extractScalarFromObject(p, this, _valueClass);
+            // 17-May-2025, tatu: [databind#4656] need to check for `null`
+            if (text == null) {
+                return  (T) ctxt.handleUnexpectedToken(_valueClass, p);
+            }
         }
         if (text.isEmpty()) {
             // 09-Jun-2020, tatu: Commonly `null` but may coerce to "empty" as well

src/main/java/com/fasterxml/jackson/databind/deser/std/NumberDeserializers.java

@@ -301,7 +301,11 @@ protected Byte _parseByte(JsonParser p, DeserializationContext ctxt)
             // 29-Jun-2020, tatu: New! "Scalar from Object" (mostly for XML)
             case JsonTokenId.ID_START_OBJECT:
                 text = ctxt.extractScalarFromObject(p, this, _valueClass);
-                break;
+                // 17-May-2025, tatu: [databind#4656] need to check for `null`
+                if (text != null) {
+                    break;
+                }
+                // fall through
             default:
                 return (Byte) ctxt.handleUnexpectedToken(getValueType(ctxt), p);
             }
@@ -384,12 +388,16 @@ protected Short _parseShort(JsonParser p, DeserializationContext ctxt)
                 return (Short) getNullValue(ctxt);
             case JsonTokenId.ID_NUMBER_INT:
                 return p.getShortValue();
+            case JsonTokenId.ID_START_ARRAY:
+                return (Short)_deserializeFromArray(p, ctxt);
             // 29-Jun-2020, tatu: New! "Scalar from Object" (mostly for XML)
             case JsonTokenId.ID_START_OBJECT:
+                // 17-May-2025, tatu: [databind#4656] need to check for `null`
                 text = ctxt.extractScalarFromObject(p, this, _valueClass);
-                break;
-            case JsonTokenId.ID_START_ARRAY:
-                return (Short)_deserializeFromArray(p, ctxt);
+                if (text != null) {
+                    break;
+                }
+                // fall through
             default:
                 return (Short) ctxt.handleUnexpectedToken(getValueType(ctxt), p);
             }
@@ -474,12 +482,16 @@ public Character deserialize(JsonParser p, DeserializationContext ctxt)
                     _verifyNullForPrimitive(ctxt);
                 }
                 return (Character) getNullValue(ctxt);
+            case JsonTokenId.ID_START_ARRAY:
+                return _deserializeFromArray(p, ctxt);
             // 29-Jun-2020, tatu: New! "Scalar from Object" (mostly for XML)
             case JsonTokenId.ID_START_OBJECT:
                 text = ctxt.extractScalarFromObject(p, this, _valueClass);
-                break;
-            case JsonTokenId.ID_START_ARRAY:
-                return _deserializeFromArray(p, ctxt);
+                // 17-May-2025, tatu: [databind#4656] need to check for `null`
+                if (text != null) {
+                    break;
+                }
+                // fall through
             default:
                 return (Character) ctxt.handleUnexpectedToken(getValueType(ctxt), p);
             }
@@ -622,12 +634,16 @@ protected final Float _parseFloat(JsonParser p, DeserializationContext ctxt)
                 // fall through to coerce
             case JsonTokenId.ID_NUMBER_FLOAT:
                 return p.getFloatValue();
+            case JsonTokenId.ID_START_ARRAY:
+                return _deserializeFromArray(p, ctxt);
             // 29-Jun-2020, tatu: New! "Scalar from Object" (mostly for XML)
             case JsonTokenId.ID_START_OBJECT:
                 text = ctxt.extractScalarFromObject(p, this, _valueClass);
-                break;
-            case JsonTokenId.ID_START_ARRAY:
-                return _deserializeFromArray(p, ctxt);
+                // 17-May-2025, tatu: [databind#4656] need to check for `null`
+                if (text != null) {
+                    break;
+                }
+                // fall through
             default:
                 return (Float) ctxt.handleUnexpectedToken(getValueType(ctxt), p);
             }
@@ -723,12 +739,16 @@ protected final Double _parseDouble(JsonParser p, DeserializationContext ctxt) t
                 // fall through to coerce
             case JsonTokenId.ID_NUMBER_FLOAT: // safe coercion
                 return p.getDoubleValue();
+            case JsonTokenId.ID_START_ARRAY:
+                return _deserializeFromArray(p, ctxt);
             // 29-Jun-2020, tatu: New! "Scalar from Object" (mostly for XML)
             case JsonTokenId.ID_START_OBJECT:
                 text = ctxt.extractScalarFromObject(p, this, _valueClass);
-                break;
-            case JsonTokenId.ID_START_ARRAY:
-                return _deserializeFromArray(p, ctxt);
+                // 17-May-2025, tatu: [databind#4656] need to check for `null`
+                if (text != null) {
+                    break;
+                }
+                // fall through
             default:
                 return (Double) ctxt.handleUnexpectedToken(getValueType(ctxt), p);
             }
@@ -816,12 +836,16 @@ public Object deserialize(JsonParser p, DeserializationContext ctxt) throws IOEx
                     }
                 }
                 return p.getNumberValue();
+            case JsonTokenId.ID_START_ARRAY:
+                return _deserializeFromArray(p, ctxt);
             // 29-Jun-2020, tatu: New! "Scalar from Object" (mostly for XML)
             case JsonTokenId.ID_START_OBJECT:
                 text = ctxt.extractScalarFromObject(p, this, _valueClass);
-                break;
-            case JsonTokenId.ID_START_ARRAY:
-                return _deserializeFromArray(p, ctxt);
+                // 17-May-2025, tatu: [databind#4656] need to check for `null`
+                if (text != null) {
+                    break;
+                }
+                // fall through
             default:
                 return ctxt.handleUnexpectedToken(getValueType(ctxt), p);
             }
@@ -951,12 +975,16 @@ public BigInteger deserialize(JsonParser p, DeserializationContext ctxt) throws
                 final BigDecimal bd = p.getDecimalValue();
                 p.streamReadConstraints().validateBigIntegerScale(bd.scale());
                 return bd.toBigInteger();
+            case JsonTokenId.ID_START_ARRAY:
+                return _deserializeFromArray(p, ctxt);
             // 29-Jun-2020, tatu: New! "Scalar from Object" (mostly for XML)
             case JsonTokenId.ID_START_OBJECT:
                 text = ctxt.extractScalarFromObject(p, this, _valueClass);
-                break;
-            case JsonTokenId.ID_START_ARRAY:
-                return _deserializeFromArray(p, ctxt);
+                // 17-May-2025, tatu: [databind#4656] need to check for `null`
+                if (text != null) {
+                    break;
+                }
+                // fall through
             default:
                 // String is ok too, can easily convert; otherwise, no can do:
                 return (BigInteger) ctxt.handleUnexpectedToken(getValueType(ctxt), p);
@@ -1024,12 +1052,16 @@ public BigDecimal deserialize(JsonParser p, DeserializationContext ctxt)
             case JsonTokenId.ID_STRING:
                 text = p.getText();
                 break;
+            case JsonTokenId.ID_START_ARRAY:
+                return _deserializeFromArray(p, ctxt);
             // 29-Jun-2020, tatu: New! "Scalar from Object" (mostly for XML)
             case JsonTokenId.ID_START_OBJECT:
                 text = ctxt.extractScalarFromObject(p, this, _valueClass);
-                break;
-            case JsonTokenId.ID_START_ARRAY:
-                return _deserializeFromArray(p, ctxt);
+                // 17-May-2025, tatu: [databind#4656] need to check for `null`
+                if (text != null) {
+                    break;
+                }
+                // fall through
             default:
                 return (BigDecimal) ctxt.handleUnexpectedToken(getValueType(ctxt), p);
             }