Reject non-scalar endpoint parameter with Jersey

snicoll · snicoll · commit 145ed26e6f75 · 2024-11-19T16:47:02.000+01:00
Actuator endpoints should only declare simple type in the signature of an operation. In particular, nested types are not supported. While this is enforced in Spring MVC and Spring Webflux, the Jersey implementation leniently allowed to bind such types prior to this commit. This commit adapts the expectation in the Jersey implementation so that it rejects such request as well. Closes gh-43209
diff --git a/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/web/jersey/JerseyEndpointResourceFactory.java b/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/web/jersey/JerseyEndpointResourceFactory.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2023 the original author or authors.
+ * Copyright 2012-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -55,6 +55,7 @@
 import org.springframework.boot.actuate.endpoint.web.WebOperation;
 import org.springframework.boot.actuate.endpoint.web.WebOperationRequestPredicate;
 import org.springframework.boot.actuate.endpoint.web.WebServerNamespace;
+import org.springframework.core.ParameterizedTypeReference;
 import org.springframework.util.AntPathMatcher;
 import org.springframework.util.ClassUtils;
 import org.springframework.util.CollectionUtils;
@@ -189,8 +190,10 @@ public Response apply(ContainerRequestContext data) {
 		}
 
 		@SuppressWarnings("unchecked")
-		private Map<String, Object> extractBodyArguments(ContainerRequestContext data) {
-			Map<String, Object> entity = ((ContainerRequest) data).readEntity(Map.class);
+		private Map<String, String> extractBodyArguments(ContainerRequestContext data) {
+			Map<String, String> entity = ((ContainerRequest) data).readEntity(Map.class,
+					new ParameterizedTypeReference<Map<String, String>>() {
+					}.getType());
 			return (entity != null) ? entity : Collections.emptyMap();
 		}
 
diff --git a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/web/annotation/AbstractWebEndpointIntegrationTests.java b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/web/annotation/AbstractWebEndpointIntegrationTests.java
@@ -314,6 +314,24 @@ void writeOperation() {
 		});
 	}
 
+	@Test
+	void writeOperationWithListOfValuesIsRejected() {
+		load(TestEndpointConfiguration.class, (client) -> {
+			Map<String, Object> body = new HashMap<>();
+			body.put("generic", List.of("one", "two"));
+			client.post().uri("/test/one").bodyValue(body).exchange().expectStatus().isBadRequest();
+		});
+	}
+
+	@Test
+	void writeOperationWithNestedValueIsRejected() {
+		load(TestEndpointConfiguration.class, (client) -> {
+			Map<String, Object> body = new HashMap<>();
+			body.put("generic", Map.of("nested", "one"));
+			client.post().uri("/test/one").bodyValue(body).exchange().expectStatus().isBadRequest();
+		});
+	}
+
 	@Test
 	void writeOperationWithVoidResponse() {
 		load(VoidWriteResponseEndpointConfiguration.class, (context, client) -> {
@@ -968,6 +986,11 @@ void write(@Nullable String foo, @Nullable String bar) {
 			this.endpointDelegate.write(foo, bar);
 		}
 
+		@WriteOperation
+		void writeGeneric(@Selector String part, Object generic) {
+			this.endpointDelegate.write(generic.toString(), generic.toString());
+		}
+
 		@DeleteOperation
 		Map<String, Object> deletePart(@Selector String part) {
 			return Collections.singletonMap("part", part);
