fix issue where unexpected properties can cause deserialization issues (#3911)

Author: pjfanning

src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializer.java

@@ -454,7 +454,7 @@ protected Object _deserializeUsingPropertyBased(final JsonParser p, final Deseri
 
                     //  polymorphic?
                     if (bean.getClass() != _beanType.getRawClass()) {
-                        return handlePolymorphic(p, ctxt, bean, unknown);
+                        return handlePolymorphic(p, ctxt, p.streamReadConstraints(), bean, unknown);
                     }
                     if (unknown != null) { // nope, just extra unknown stuff...
                         bean = handleUnknownProperties(ctxt, bean, unknown);
@@ -538,7 +538,7 @@ protected Object _deserializeUsingPropertyBased(final JsonParser p, final Deseri
         if (unknown != null) {
             // polymorphic?
             if (bean.getClass() != _beanType.getRawClass()) { // lgtm [java/dereferenced-value-may-be-null]
-                return handlePolymorphic(null, ctxt, bean, unknown);
+                return handlePolymorphic(null, ctxt, p.streamReadConstraints(), bean, unknown);
             }
             // no, just some extra unknown properties
             return handleUnknownProperties(ctxt, bean, unknown);

src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerBase.java

@@ -1735,18 +1735,41 @@ protected void handleIgnoredProperty(JsonParser p, DeserializationContext ctxt,
      * @param p (optional) If not null, parser that has more properties to handle
      *   (in addition to buffered properties); if null, all properties are passed
      *   in buffer
+     * @deprecated use {@link #handlePolymorphic(JsonParser, DeserializationContext, StreamReadConstraints, Object, TokenBuffer)}
      */
+    @Deprecated
     protected Object handlePolymorphic(JsonParser p, DeserializationContext ctxt,
             Object bean, TokenBuffer unknownTokens)
         throws IOException
+    {
+        final StreamReadConstraints streamReadConstraints = p == null ?
+                StreamReadConstraints.defaults() : p.streamReadConstraints();
+        return handlePolymorphic(p, ctxt, streamReadConstraints, bean, unknownTokens);
+    }
+
+    /**
+     * Method called in cases where we may have polymorphic deserialization
+     * case: that is, type of Creator-constructed bean is not the type
+     * of deserializer itself. It should be a sub-class or implementation
+     * class; either way, we may have more specific deserializer to use
+     * for handling it.
+     *
+     * @param p (optional) If not null, parser that has more properties to handle
+     *   (in addition to buffered properties); if null, all properties are passed
+     *   in buffer
+     * @since 2.15.1
+     */
+    protected Object handlePolymorphic(JsonParser p, DeserializationContext ctxt,
+            StreamReadConstraints streamReadConstraints, Object bean, TokenBuffer unknownTokens)
+        throws IOException
     {
         // First things first: maybe there is a more specific deserializer available?
         JsonDeserializer<Object> subDeser = _findSubclassDeserializer(ctxt, bean, unknownTokens);
         if (subDeser != null) {
             if (unknownTokens != null) {
                 // need to add END_OBJECT marker first
                 unknownTokens.writeEndObject();
-                JsonParser p2 = unknownTokens.asParser(p.streamReadConstraints());
+                JsonParser p2 = unknownTokens.asParser(streamReadConstraints);
                 p2.nextToken(); // to get to first data field
                 bean = subDeser.deserialize(p2, ctxt, bean);
             }

src/main/java/com/fasterxml/jackson/databind/deser/BuilderBasedDeserializer.java

@@ -395,7 +395,7 @@ protected Object _deserializeUsingPropertyBased(final JsonParser p,
                     }
                     //  polymorphic?
                     if (builder.getClass() != _beanType.getRawClass()) {
-                        return handlePolymorphic(p, ctxt, builder, unknown);
+                        return handlePolymorphic(p, ctxt, p.streamReadConstraints(), builder, unknown);
                     }
                     if (unknown != null) { // nope, just extra unknown stuff...
                         builder = handleUnknownProperties(ctxt, builder, unknown);
@@ -440,7 +440,7 @@ protected Object _deserializeUsingPropertyBased(final JsonParser p,
         if (unknown != null) {
             // polymorphic?
             if (builder.getClass() != _beanType.getRawClass()) {
-                return handlePolymorphic(null, ctxt, builder, unknown);
+                return handlePolymorphic(null, ctxt, p.streamReadConstraints(), builder, unknown);
             }
             // no, just some extra unknown properties
             return handleUnknownProperties(ctxt, builder, unknown);
@@ -669,7 +669,7 @@ protected Object deserializeUsingPropertyBasedWithUnwrapped(JsonParser p,
                         continue; // never gets here
                     }
                     if (builder.getClass() != _beanType.getRawClass()) {
-                        return handlePolymorphic(p, ctxt, builder, tokens);
+                        return handlePolymorphic(p, ctxt, p.streamReadConstraints(), builder, tokens);
                     }
                     return deserializeWithUnwrapped(p, ctxt, builder, tokens);
                 }

src/test/java/com/fasterxml/jackson/databind/deser/Issue1009Test.java

@@ -0,0 +1,89 @@
+package com.fasterxml.jackson.databind.deser;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.BaseMapTest;
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+import java.util.List;
+
+public class Issue1009Test extends BaseMapTest {
+
+    public void testDeserialization() throws JsonProcessingException {
+        String rawResponse = "{\"list\":[{\"type\":\"impl\",\"unmappedKey\":\"unusedValue\"}]}";
+        MyResponse myResponse = objectMapper().readValue(rawResponse, MyResponse.class);
+        assertNotNull(myResponse);
+        assertEquals(1, myResponse.list.size());
+        assertEquals("impl", myResponse.list.get(0).getType());
+        assertNull(myResponse.list.get(0).getMissingInJson());
+    }
+
+    protected ObjectMapper objectMapper() {
+        ObjectMapper om = new ObjectMapper();
+        om.disable(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES);
+        return om;
+    }
+
+    static class MyResponse {
+        private List<Base> list;
+
+        public List<Base> getList() {
+            return list;
+        }
+
+        public void setList(List<Base> list) {
+            this.list = list;
+        }
+    }
+
+    interface Base {
+
+        String getType();
+
+        String getMissingInJson();
+
+        @JsonCreator
+        static Base unmarshall(
+                @JsonProperty("missingInJson") String missingInJson,
+                @JsonProperty("type") String type
+        ) {
+            switch (type) {
+                case "impl":
+                    return new Impl(type, missingInJson);
+                default:
+                    return null;
+            }
+        }
+    }
+
+    final static class Impl implements Base {
+        private String type;
+        private String missingInJson;
+
+        public Impl() {
+        }
+
+        public Impl(String type, String missingInJson) {
+            this.type = type;
+            this.missingInJson = missingInJson;
+        }
+
+        @Override public String getType() {
+            return type;
+        }
+
+        @Override public String getMissingInJson() {
+            return missingInJson;
+        }
+
+        public void setType(String type) {
+            this.type = type;
+        }
+
+        public void setMissingInJson(String missingInJson) {
+            this.missingInJson = missingInJson;
+        }
+    }
+}