Merge branch '2.8' into 2.9

Author: cowtowncoder

release-notes/VERSION-2.x

@@ -12,6 +12,7 @@ Project: jackson-databind
 #1912: `BeanDeserializerModifier.updateBuilder()` not work to set custom
   deserializer on a property (since 2.9.0)
  (contributed by Deblock T)
+#1931: Two more `c3p0` gadgets to exploit default typing issue
 
 2.9.4 (24-Jan-2018)
 
@@ -213,6 +214,7 @@ Project: jackson-databind
  (reported by Rob W)
 #1899: Another two gadgets to exploit default typing issue in jackson-databind
  (reported by OneSourceCat@github)
+#1931: Two more `c3p0` gadgets to exploit default typing issue
 
 2.8.11 (24-Dec-2017)
 

src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

@@ -19,7 +19,10 @@
  */
 public class SubTypeValidator
 {
-    protected final static String PREFIX_STRING = "org.springframework.";
+    protected final static String PREFIX_SPRING = "org.springframework.";
+
+    protected final static String PREFIX_C3P0 = "com.mchange.v2.c3p0.";
+
     /**
      * Set of well-known "nasty classes", deserialization of which is considered dangerous
      * and should (and is) prevented by default.
@@ -46,8 +49,9 @@ public class SubTypeValidator
         // [databind#1737]; 3rd party
 //s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
         s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
-        s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
-        s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+
+// s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
+// s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
         // [databind#1855]: more 3rd party
         s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
         s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
@@ -86,8 +90,10 @@ public void validateSubType(DeserializationContext ctxt, JavaType type,
             // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling
             //    for some Spring framework types
             // 05-Jan-2017, tatu: ... also, only applies to classes, not interfaces
-            if (!raw.isInterface() && full.startsWith(PREFIX_STRING)) {
-                for (Class<?> cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()) {
+            if (raw.isInterface()) {
+                ;
+            } else if (full.startsWith(PREFIX_SPRING)) {
+                for (Class<?> cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()){
                     String name = cls.getSimpleName();
                     // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
                     if ("AbstractPointcutAdvisor".equals(name)
@@ -96,6 +102,16 @@ public void validateSubType(DeserializationContext ctxt, JavaType type,
                         break main_check;
                     }
                 }
+            } else if (full.startsWith(PREFIX_C3P0)) {
+                // [databind#1737]; more 3rd party
+                // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+                // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+                // [databind#1931]; more 3rd party
+                // com.mchange.v2.c3p0.ComboPooledDataSource
+                // com.mchange.v2.c3p0.debug.AfterCloseLoggingComboPooledDataSource 
+                if (full.endsWith("DataSource")) {
+                    break main_check;
+                }
             }
             return;
         } while (false);

src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java

@@ -10,6 +10,8 @@
 import com.fasterxml.jackson.databind.*;
 import com.fasterxml.jackson.databind.exc.InvalidDefinitionException;
 
+import com.mchange.v2.c3p0.jacksontest.ComboPooledDataSource;
+
 /**
  * Test case(s) to guard against handling of types that are illegal to handle
  * due to security constraints.
@@ -38,7 +40,7 @@ static class Authentication1872 {
      */
 
     private final ObjectMapper MAPPER = objectMapper();
-    
+
     // // // Tests for [databind#1599]
 
     public void testXalanTypes1599() throws Exception
@@ -86,34 +88,34 @@ public void testJDKTypes1855() throws Exception
 
     // 17-Aug-2017, tatu: Ideally would test handling of 3rd party types, too,
     //    but would require adding dependencies. This may be practical when
-    //    checking done by module, but for now let's not do that for databind.
+    //    checking done by separate module, but for now let's not do that for databind.
 
     /*
     public void testSpringTypes1737() throws Exception
     {
         _testIllegalType("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
         _testIllegalType("org.springframework.beans.factory.config.PropertyPathFactoryBean");
     }
-
-    public void testC3P0Types1737() throws Exception
-    {
-        _testTypes1737("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
-        _testTypes1737("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
-    }
     */
 
     // // // Tests for [databind#1872]
     public void testJDKTypes1872() throws Exception
     {
         ObjectMapper mapper = new ObjectMapper();
         mapper.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL, JsonTypeInfo.As.PROPERTY);
-    
+
         String json = aposToQuotes(String.format("{'@class':'%s','authorities':['java.util.ArrayList',[]]}",
                 Authentication1872.class.getName()));
         Authentication1872 result = mapper.readValue(json, Authentication1872.class);
         assertNotNull(result);
     }
 
+    // [databind#1931]
+    public void testC3P0Types() throws Exception
+    {
+        _testIllegalType(ComboPooledDataSource.class); // [databind#1931]
+    }
+
     private void _testIllegalType(Class<?> nasty) throws Exception {
         _testIllegalType(nasty.getName());
     }

src/test/java/com/mchange/v2/c3p0/jacksontest/ComboPooledDataSource.java

@@ -0,0 +1,6 @@
+package com.mchange.v2.c3p0.jacksontest;
+
+// test class for [databind#1931]
+public class ComboPooledDataSource {
+
+}