Fix #2668

Author: cowtowncoder

release-notes/VERSION-2.x

@@ -52,6 +52,8 @@ Project: jackson-databind
 #2657: Allow serialization of `Properties` with non-String values
 #2663: Add new factory method for creating custom `EnumValues` to pass to `EnumDeserializer
  (requested by Rafal K)
+#2668: `IllegalArgumentException` thrown for mismatched subclass deserialization
+ (reported by nbruno@github)
 - Add `SerializerProvider.findContentValueSerializer()` methods
 
 2.10.4 (not yet released)

src/main/java/com/fasterxml/jackson/databind/DeserializationContext.java

@@ -253,7 +253,9 @@ public final TypeFactory getTypeFactory() {
     }
 
     @Override // since 2.11
-    public JavaType constructSpecializedType(JavaType baseType, Class<?> subclass) {
+    public JavaType constructSpecializedType(JavaType baseType, Class<?> subclass)
+        throws IllegalArgumentException
+    {
         if (baseType.hasRawClass(subclass)) {
             return baseType;
         }

src/main/java/com/fasterxml/jackson/databind/SerializerProvider.java

@@ -334,7 +334,9 @@ public final TypeFactory getTypeFactory() {
     }
 
     @Override // since 2.11
-    public JavaType constructSpecializedType(JavaType baseType, Class<?> subclass) {
+    public JavaType constructSpecializedType(JavaType baseType, Class<?> subclass)
+        throws IllegalArgumentException
+    {
         if (baseType.hasRawClass(subclass)) {
             return baseType;
         }

src/main/java/com/fasterxml/jackson/databind/jsontype/impl/TypeDeserializerBase.java

@@ -5,12 +5,10 @@
 import java.util.concurrent.ConcurrentHashMap;
 
 import com.fasterxml.jackson.annotation.JsonTypeInfo;
+
 import com.fasterxml.jackson.core.*;
-import com.fasterxml.jackson.databind.BeanProperty;
-import com.fasterxml.jackson.databind.DeserializationContext;
-import com.fasterxml.jackson.databind.DeserializationFeature;
-import com.fasterxml.jackson.databind.JavaType;
-import com.fasterxml.jackson.databind.JsonDeserializer;
+
+import com.fasterxml.jackson.databind.*;
 import com.fasterxml.jackson.databind.deser.std.NullifyingDeserializer;
 import com.fasterxml.jackson.databind.jsontype.TypeDeserializer;
 import com.fasterxml.jackson.databind.jsontype.TypeIdResolver;
@@ -188,7 +186,13 @@ protected final JsonDeserializer<Object> _findDeserializer(DeserializationContex
                     //  Whether this is sufficient to avoid problems remains to be seen, but for
                     //  now it should improve things.
                     if (!type.hasGenericTypes()) {
-                        type = ctxt.getTypeFactory().constructSpecializedType(_baseType, type.getRawClass());
+                        try { // [databind#2668]: Should not expose generic RTEs
+                            type = ctxt.constructSpecializedType(_baseType, type.getRawClass());
+                        } catch (IllegalArgumentException e) {
+                            // 29-Mar-2020, tatu: I hope this is not misleading for other cases, but
+                            //   for [databind#2668] seems reasonable
+                            throw ctxt.invalidTypeIdException(_baseType, typeId, e.getMessage());
+                        }
                     }
                 }
                 deser = ctxt.findContextualValueDeserializer(type, _property);

src/main/java/com/fasterxml/jackson/databind/module/SimpleAbstractTypeResolver.java

@@ -30,7 +30,7 @@ public class SimpleAbstractTypeResolver
     extends AbstractTypeResolver
     implements java.io.Serializable
 {
-    private static final long serialVersionUID = 8635483102371490919L;
+    private static final long serialVersionUID = 1L;
 
     /**
      * Mappings from super types to subtypes

src/main/java/com/fasterxml/jackson/databind/type/TypeFactory.java

@@ -366,7 +366,9 @@ protected Class<?> _findPrimitive(String className)
      * that is, will use "strict" compatibility checking, usually used for
      * deserialization purposes (but often not for serialization).
      */
-    public JavaType constructSpecializedType(JavaType baseType, Class<?> subclass) {
+    public JavaType constructSpecializedType(JavaType baseType, Class<?> subclass)
+        throws IllegalArgumentException
+    {
         return constructSpecializedType(baseType, subclass, false);
     }
 
@@ -389,6 +391,7 @@ public JavaType constructSpecializedType(JavaType baseType, Class<?> subclass) {
      */
     public JavaType constructSpecializedType(JavaType baseType, Class<?> subclass,
             boolean relaxedCompatibilityCheck)
+        throws IllegalArgumentException
     {
         // simple optimization to avoid costly introspection if type-erased type does NOT differ
         final Class<?> rawBase = baseType.getRawClass();
@@ -404,8 +407,9 @@ public JavaType constructSpecializedType(JavaType baseType, Class<?> subclass,
                 break;
             }
             if (!rawBase.isAssignableFrom(subclass)) {
-                throw new IllegalArgumentException(String.format(
-                        "Class %s not subtype of %s", subclass.getName(), baseType));
+                throw new IllegalArgumentException(String.format("Class %s not subtype of %s",
+                        ClassUtil.nameOf(subclass), ClassUtil.getTypeDescription(baseType)
+                ));
             }
             // A few special cases where we can simplify handling:
 

src/test/java/com/fasterxml/jackson/databind/jsontype/PolymorphicDeserErrorHandlingTest.java

@@ -0,0 +1,65 @@
+package com.fasterxml.jackson.databind.jsontype;
+
+import com.fasterxml.jackson.annotation.JsonSubTypes;
+import com.fasterxml.jackson.annotation.JsonTypeInfo;
+
+import com.fasterxml.jackson.databind.*;
+
+public class PolymorphicDeserErrorHandlingTest extends BaseMapTest
+{
+    @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY,
+            property = "clazz")
+    abstract static class BaseForUnknownClass {
+    }
+
+    static class BaseUnknownWrapper {
+        public BaseForUnknownClass value;
+    }
+
+    // [databind#2668]
+    @JsonTypeInfo(use = JsonTypeInfo.Id.NAME, property = "type")
+    @JsonSubTypes({
+        @JsonSubTypes.Type(value = Child1.class, name = "child1"),
+        @JsonSubTypes.Type(value = Child2.class, name = "child2")
+    })
+    static class Parent2668 {
+    }
+
+    static class Child1 extends Parent2668 {
+        public String bar;
+    }
+
+    static class Child2 extends Parent2668 {
+        public String baz;
+    }
+
+    /*
+    /**********************************************************************
+    /* Test methods
+    /**********************************************************************
+     */
+    
+    private final ObjectMapper MAPPER = newJsonMapper();
+
+    public void testUnknownClassAsSubtype() throws Exception
+    {
+        ObjectReader reader = MAPPER.readerFor(BaseUnknownWrapper.class)
+                .without(DeserializationFeature.FAIL_ON_INVALID_SUBTYPE);
+        BaseUnknownWrapper w = reader.readValue(aposToQuotes
+                ("{'value':{'clazz':'com.foobar.Nothing'}}'"));
+        assertNotNull(w);
+    }
+
+    // [databind#2668]
+    public void testSubType2668() throws Exception
+    {
+        String json = "{\"type\": \"child2\", \"baz\":\"1\"}"; // JSON for Child2
+
+        try {
+            /*Child1 c =*/ MAPPER.readValue(json, Child1.class); // Deserializing into Child1
+            fail("Should not pass");
+        } catch (JsonMappingException e) {
+            verifyException(e, "not subtype of");
+        }
+    }
+}

src/test/java/com/fasterxml/jackson/databind/jsontype/TestAbstractContainers.java

@@ -44,14 +44,14 @@ static class ListWrapper {
     public interface IDataValueList extends List<String> { }
 
     static class DataValueList extends LinkedList<String> implements IDataValueList { }
-   
+
     /*
     /**********************************************************
     /* Test methods
     /**********************************************************
      */
 
-    private final ObjectMapper MAPPER = new ObjectMapper();
+    private final ObjectMapper MAPPER = newJsonMapper();
 
     public void testAbstractLists() throws Exception
     {