Fix #2573 (this adds tests, actual impl in preceding commit)

cowtowncoder · cowtowncoder · commit cdda82fae89a · 2020-01-08T17:57:08.000-08:00
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -18,17 +18,19 @@ Project: jackson-databind
 #2503: Support `@JsonSerialize(keyUsing)` and `@JsonDeserialize(keyUsing)` on Key class
 #2511: Add `SerializationFeature.WRITE_SELF_REFERENCES_AS_NULL`
  (contributed by Joongsoo P)
-#2515: `ObjectMapper.registerSubtypes(NamedType...)` doesn't allow registering the same POJO
-  for two different type ids
+#2515: `ObjectMapper.registerSubtypes(NamedType...)` doesn't allow registering
+  same POJO for two different type ids
  (contributed by Joseph K)
-#2522: `DeserializationContext.handleMissingInstantiator()` throws `MismatchedInputException`
-  for non-static inner classes
+#2522: `DeserializationContext.handleMissingInstantiator()` throws
+  `MismatchedInputException` for non-static inner classes
 #2525: Incorrect `JsonStreamContext` for `TokenBuffer` and `TreeTraversingParser`
-#2527: Add `AnnotationIntrospector.findRenameByField()` to support Kotlin's "is-getter"
-  naming convention
+#2527: Add `AnnotationIntrospector.findRenameByField()` to support Kotlin's
+  "is-getter" naming convention
 #2555: Use `@JsonProperty(index)` for sorting properties on serialization
 #2565: Java 8 `Optional` not working with `@JsonUnwrapped` on unwrappable type
  (reported by Haowei W)
+#2573: Add `MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES` to allow blocking
+  use of unsafe base type for polymorphic deserialization
 - Add `SerializerProvider.findContentValueSerializer()` methods
 
 2.10.2 (05-Jan-2020)
diff --git a/src/test/java/com/fasterxml/jackson/databind/jsontype/vld/AnnotatedPolymorphicValidationTest.java b/src/test/java/com/fasterxml/jackson/databind/jsontype/vld/AnnotatedPolymorphicValidationTest.java
@@ -0,0 +1,96 @@
+package com.fasterxml.jackson.databind.jsontype.vld;
+
+import java.io.*;
+
+import com.fasterxml.jackson.annotation.JsonTypeInfo;
+
+import com.fasterxml.jackson.databind.*;
+import com.fasterxml.jackson.databind.cfg.MapperConfig;
+import com.fasterxml.jackson.databind.exc.InvalidDefinitionException;
+import com.fasterxml.jackson.databind.json.JsonMapper;
+import com.fasterxml.jackson.databind.jsontype.DefaultBaseTypeLimitingValidator;
+
+/**
+ * Unit tests for verifying that "unsafe" base type(s) for polymorphic deserialization
+ * are correctly handled wrt {@link MapperFeature#BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES}.
+ */
+public class AnnotatedPolymorphicValidationTest
+    extends BaseMapTest
+{
+    static class WrappedPolymorphicUntyped {
+        @JsonTypeInfo(use=JsonTypeInfo.Id.CLASS)
+        public Object value;
+
+        protected WrappedPolymorphicUntyped() { }
+    }
+
+    static class WrappedPolymorphicUntypedSer {
+        @JsonTypeInfo(use=JsonTypeInfo.Id.CLASS)
+        public java.io.Serializable value;
+
+        protected WrappedPolymorphicUntypedSer() { }
+    }
+
+    static class NumbersAreOkValidator extends DefaultBaseTypeLimitingValidator
+    {
+        private static final long serialVersionUID = 1L;
+
+        @Override
+        protected boolean isUnsafeBaseType(MapperConfig<?> config, JavaType baseType)
+        {
+            // only override handling for `Object`
+            if (baseType.hasRawClass(Object.class)) {
+                return false;
+            }
+            return super.isUnsafeBaseType(config, baseType);
+        }
+
+        @Override
+        protected boolean isSafeSubType(MapperConfig<?> config,
+                JavaType baseType, JavaType subType) {
+            return baseType.isTypeOrSubTypeOf(Number.class);
+        }
+    }
+    
+    /*
+    /**********************************************************
+    /* Test methods
+    /**********************************************************
+     */
+
+    private final ObjectMapper MAPPER = jsonMapperBuilder()
+            .enable(MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES)
+            .build();
+
+    public void testPolymorphicWithUnsafeBaseType() throws IOException
+    {
+        final String JSON = aposToQuotes("{'value':10}");
+        // by default, we should NOT be allowed to deserialize due to unsafe base type
+        try {
+            /*w =*/ MAPPER.readValue(JSON, WrappedPolymorphicUntyped.class);
+            fail("Should not pass");
+        } catch (InvalidDefinitionException e) {
+            verifyException(e, "Configured");
+            verifyException(e, "all subtypes of base type");
+        }
+
+        // but may with proper validator
+        ObjectMapper customMapper = JsonMapper.builder()
+                .polymorphicTypeValidator(new NumbersAreOkValidator())
+                .build();
+        
+        WrappedPolymorphicUntyped w = customMapper.readValue(JSON, WrappedPolymorphicUntyped.class);
+        assertEquals(Integer.valueOf(10), w.value);
+
+        // but yet again, it is not opening up all types (just as an example)
+        
+        try {
+            customMapper.readValue(JSON, WrappedPolymorphicUntypedSer.class);
+            fail("Should not pass");
+        } catch (InvalidDefinitionException e) {
+            verifyException(e, "Configured");
+            verifyException(e, "all subtypes of base type");
+            verifyException(e, "java.io.Serializable");
+        }
+    }
+}
