Merge branch '2.10' of https://github.com/FasterXML/jackson-databind into 2.10

Author: cowtowncoder

release-notes/CREDITS-2.x

@@ -653,6 +653,10 @@ Guixiong Wu (吴桂雄)
   * Reported #2032: Blacklist another serialization gadget (ibatis)
    (2.8.11.2)
 
+svarzee@github
+  * Reported #2109, suggested fix: Canonical string for reference type is built incorrectly
+   (2.8.11.3 / 2.9.7)
+
 Connor Kuhn (ckuhn@github)
   * Contributed #1341: FAIL_ON_MISSING_EXTERNAL_TYPE_ID_PROPERTY
    (2.9.0)
@@ -806,3 +810,11 @@ Petar Tahchiev (ptahchiev@github)
 Thibaut Robert (trobert@github)
   * Requested #2059: Remove `final` modifier for `TypeFactory`
   (2.10.0)
+
+Christopher Smith (chrylis@github)
+  * Suggested #2115: Support naive deserialization of `Serializable` values as "untyped",
+    same as `java.lang.Object`		     
+  (2.10.0)
+
+Édouard Mercier (edouardmercier@github)
+  * Requested #2116: Make NumberSerializers.Base public and its inherited classes not final

release-notes/VERSION-2.x

@@ -8,13 +8,29 @@ Project: jackson-databind
 
 #2059: Remove `final` modifier for `TypeFactory`
  (requested by Thibaut R)
+#2115: Support naive deserialization of `Serializable` values as "untyped", same
+  as `java.lang.Object`
+ (requested by Christopher S)
+#2116: Make NumberSerializers.Base public and its inherited classes not final
+ (requested by Édouard M)
 
 2.9.7 (not yet released)
 
 #2060: `UnwrappingBeanPropertyWriter` incorrectly assumes the found serializer is
   of type `UnwrappingBeanSerializer`
  (reported by Petar T)
+#2079: NPE when visiting StaticListSerializerBase
+ (reported by WorldSEnder@github)
 #2082: `FactoryBasedEnumDeserializer` should be cachable
+#2088: `@JsonUnwrapped` fields are skipped when using `PropertyBasedCreator` if
+  they appear after the last creator property
+ (reported, fix contributed by 6bangs@github)
+#2096: `TreeTraversingParser` does not take base64 variant into account
+ (reported by tangiel@github)
+#2097: Block more classes from polymorphic deserialization (CVE-2018-14718
+  - CVE-2018-14721)
+#2109: Canonical string for reference type is built incorrectly
+ (reported by svarzee@github)
 
 2.9.6 (12-Jun-2018)
 
@@ -581,9 +597,10 @@ Project: jackson-databind
 #1225: `JsonMappingException` should override getProcessor()
  (reported by Nick B)
 
-2.6.8 (if ever released)
+2.6.7.1 (11-Jul-2017)
 
 #1383: Problem with `@JsonCreator` with 1-arg factory-method, implicit param names
+#1599: Backport the extra safety checks for polymorphic deserialization
 
 2.6.7 (05-Jun-2016)
 

src/main/java/com/fasterxml/jackson/databind/DeserializationContext.java

@@ -1589,15 +1589,21 @@ public JsonMappingException weirdNativeValueException(Object value, Class<?> ins
      * to indicate problem with physically constructing instance of
      * specified class (missing constructor, exception from constructor)
      *<p>
-     * Note that most of the time this method should NOT be called; instead,
+     * Note that most of the time this method should NOT be called directly; instead,
      * {@link #handleInstantiationProblem} should be called which will call this method
      * if necessary.
      */
     public JsonMappingException instantiationException(Class<?> instClass, Throwable cause) {
         // Most likely problem with Creator definition, right?
-        JavaType type = constructType(instClass);
+        final JavaType type = constructType(instClass);
+        String excMsg;
+        if (cause == null) {
+            excMsg = "N/A";
+        } else if ((excMsg = cause.getMessage()) == null) {
+            excMsg = ClassUtil.nameOf(cause.getClass());
+        }
         String msg = String.format("Cannot construct instance of %s, problem: %s",
-                ClassUtil.nameOf(instClass), cause.getMessage());
+                ClassUtil.nameOf(instClass), excMsg);
         InvalidDefinitionException e = InvalidDefinitionException.from(_parser, msg, type);
         e.initCause(cause);
         return e;

src/main/java/com/fasterxml/jackson/databind/ObjectMapper.java

@@ -621,7 +621,7 @@ protected ClassIntrospector defaultClassIntrospector() {
      *   return builder(JsonFactory.builder().build());
      *</pre>
      *
-     * @since 2.9
+     * @since 2.10
      */
     @SuppressWarnings("unchecked")
     public static <M extends ObjectMapper, B extends MapperBuilder<M,B>> MapperBuilder<M,B> builder() {

src/main/java/com/fasterxml/jackson/databind/deser/BasicDeserializerFactory.java

@@ -1,5 +1,6 @@
 package com.fasterxml.jackson.databind.deser;
 
+import java.io.Serializable;
 import java.util.*;
 import java.util.concurrent.*;
 import java.util.concurrent.atomic.AtomicReference;
@@ -8,8 +9,10 @@
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonCreator.Mode;
+
 import com.fasterxml.jackson.core.JsonLocation;
 import com.fasterxml.jackson.core.JsonParser;
+
 import com.fasterxml.jackson.databind.*;
 import com.fasterxml.jackson.databind.cfg.DeserializerFactoryConfig;
 import com.fasterxml.jackson.databind.cfg.HandlerInstantiator;
@@ -46,6 +49,7 @@ public abstract class BasicDeserializerFactory
     private final static Class<?> CLASS_CHAR_SEQUENCE = CharSequence.class;
     private final static Class<?> CLASS_ITERABLE = Iterable.class;
     private final static Class<?> CLASS_MAP_ENTRY = Map.Entry.class;
+    private final static Class<?> CLASS_SERIALIZABLE = Serializable.class;
 
     /**
      * We need a placeholder for creator properties that don't have name
@@ -1771,8 +1775,8 @@ public JsonDeserializer<?> findDefaultDeserializer(DeserializationContext ctxt,
         throws JsonMappingException
     {
         Class<?> rawType = type.getRawClass();
-        // Object ("untyped"), String equivalents:
-        if (rawType == CLASS_OBJECT) {
+        // Object ("untyped"), and as of 2.10 (see [databind#2115]), `java.io.Serializable`
+        if ((rawType == CLASS_OBJECT) || (rawType == CLASS_SERIALIZABLE)) {
             // 11-Feb-2015, tatu: As per [databind#700] need to be careful wrt non-default Map, List.
             DeserializationConfig config = ctxt.getConfig();
             JavaType lt, mt;
@@ -1785,6 +1789,7 @@ public JsonDeserializer<?> findDefaultDeserializer(DeserializationContext ctxt,
             }
             return new UntypedObjectDeserializer(lt, mt);
         }
+        // String and equivalents
         if (rawType == CLASS_STRING || rawType == CLASS_CHAR_SEQUENCE) {
             return StringDeserializer.instance;
         }

src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializer.java

@@ -767,10 +767,17 @@ protected Object deserializeUsingPropertyBasedWithUnwrapped(JsonParser p, Deseri
                     p.setCurrentValue(bean);
                     // if so, need to copy all remaining tokens into buffer
                     while (t == JsonToken.FIELD_NAME) {
-                        p.nextToken(); // to skip name
+                        // NOTE: do NOT skip name as it needs to be copied; `copyCurrentStructure` does that
                         tokens.copyCurrentStructure(p);
                         t = p.nextToken();
                     }
+                    // 28-Aug-2018, tatu: Let's add sanity check here, easier to catch off-by-some
+                    //    problems if we maintain invariants
+                    if (t != JsonToken.END_OBJECT) {
+                        ctxt.reportWrongTokenException(this, JsonToken.END_OBJECT, 
+                                "Attempted to unwrap '%s' value",
+                                handledType().getName());
+                    }
                     tokens.writeEndObject();
                     if (bean.getClass() != _beanType.getRawClass()) {
                         // !!! 08-Jul-2011, tatu: Could probably support; but for now

src/main/java/com/fasterxml/jackson/databind/deser/std/StdKeyDeserializer.java

@@ -1,6 +1,7 @@
 package com.fasterxml.jackson.databind.deser.std;
 
 import java.io.IOException;
+import java.io.Serializable;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.Method;
 import java.net.MalformedURLException;
@@ -72,9 +73,13 @@ public static StdKeyDeserializer forType(Class<?> raw)
         int kind;
 
         // first common types:
-        if (raw == String.class || raw == Object.class || raw == CharSequence.class) {
+        if (raw == String.class || raw == Object.class
+                || raw == CharSequence.class
+                // see [databind#2115]:
+                || raw == Serializable.class) {
             return StringKD.forType(raw);
-        } else if (raw == UUID.class) {
+        }
+        if (raw == UUID.class) {
             kind = TYPE_UUID;
         } else if (raw == Integer.class) {
             kind = TYPE_INT;

src/main/java/com/fasterxml/jackson/databind/deser/std/StdKeyDeserializers.java

@@ -48,9 +48,7 @@ public static KeyDeserializer constructDelegatingKeyDeserializer(Deserialization
     public static KeyDeserializer findStringBasedKeyDeserializer(DeserializationConfig config,
             JavaType type)
     {
-        /* We don't need full deserialization information, just need to
-         * know creators.
-         */
+        // We don't need full deserialization information, just need to know creators.
         BeanDescription beanDesc = config.introspect(type);
         // Ok, so: can we find T(String) constructor?
         Constructor<?> ctor = beanDesc.findSingleArgConstructor(String.class);

src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

@@ -68,6 +68,12 @@ public class SubTypeValidator
         s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
         s.add("oracle.jdbc.rowset.OracleJDBCRowSet");
 
+        // [databind#2097]: some 3rd party, one JDK-bundled
+        s.add("org.slf4j.ext.EventData");
+        s.add("flex.messaging.util.concurrent.AsynchBeansWorkManagerExecutor");
+        s.add("com.sun.deploy.security.ruleset.DRSHelper");
+        s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 

src/main/java/com/fasterxml/jackson/databind/node/TreeTraversingParser.java

@@ -357,19 +357,13 @@ public byte[] getBinaryValue(Base64Variant b64variant)
     {
         // Multiple possibilities...
         JsonNode n = currentNode();
-        if (n != null) { // binary node?
-            byte[] data = n.binaryValue();
-            // (or TextNode, which can also convert automatically!)
-            if (data != null) {
-                return data;
-            }
-            // Or maybe byte[] as POJO?
-            if (n.isPojo()) {
-                Object ob = ((POJONode) n).getPojo();
-                if (ob instanceof byte[]) {
-                    return (byte[]) ob;
-                }
+        if (n != null) {
+            // [databind#2096]: although `binaryValue()` works for real binary node
+            // and embedded "POJO" node, coercion from TextNode may require variant, so:
+            if (n instanceof TextNode) {
+                return ((TextNode) n).getBinaryValue(b64variant);
             }
+            return n.binaryValue();
         }
         // otherwise return null to mark we have no binary content
         return null;