Fix #1735

Author: cowtowncoder

src/main/java/com/fasterxml/jackson/databind/jsontype/impl/ClassNameIdResolver.java

@@ -51,7 +51,16 @@ protected JavaType _typeFromId(String id, DatabindContext ctxt) throws IOExcepti
         TypeFactory tf = ctxt.getTypeFactory();
         if (id.indexOf('<') > 0) {
             // note: may want to try combining with specialization (esp for EnumMap)?
-            return tf.constructFromCanonical(id);
+            // 17-Aug-2017, tatu: As per [databind#1735] need to ensure assignment
+            //    compatibility -- needed later anyway, and not doing so may open
+            //    security issues.
+            JavaType t = tf.constructFromCanonical(id);
+            if (!t.isTypeOrSubTypeOf(_baseType.getRawClass())) {
+                // Probably cleaner to have a method in `TypeFactory` but can't add in patch
+                throw new IllegalArgumentException(String.format(
+                        "Class %s not subtype of %s", t.getRawClass().getName(), _baseType));
+            }
+            return t;
         }
         Class<?> cls;
         try {

src/test/java/com/fasterxml/jackson/databind/BaseTest.java

@@ -364,7 +364,9 @@ protected void verifyException(Throwable e, String... matches)
                 return;
             }
         }
-        fail("Expected an exception with one of substrings ("+Arrays.asList(matches)+"): got one with message \""+msg+"\"");
+        fail("Expected an exception with one of substrings ("
+                +Arrays.asList(matches)+"): got one (of type "+e.getClass().getName()
+                +") with message \""+msg+"\"");
     }
 
     /**

src/test/java/com/fasterxml/jackson/databind/jsontype/GenericTypeId1735Test.java

@@ -0,0 +1,64 @@
+package com.fasterxml.jackson.databind.jsontype;
+
+import com.fasterxml.jackson.annotation.JsonTypeInfo;
+
+import com.fasterxml.jackson.databind.*;
+
+// for [databind#1735]:
+public class GenericTypeId1735Test extends BaseMapTest
+{
+    static class Wrapper1735 {
+        @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, property = "type")
+        public Payload1735 w;
+    }
+
+    static class Payload1735 {
+        public void setValue(String str) { }
+    }
+
+    static class Nefarious1735 {
+        public Nefarious1735() {
+            throw new Error("Never call this constructor");
+        }
+
+        public void setValue(String str) {
+            throw new Error("Never call this setter");
+        }
+    }
+
+    /*
+    /**********************************************************
+    /* Unit tests
+    /**********************************************************
+     */
+
+    private final ObjectMapper MAPPER = objectMapper();
+
+    private final static String NEF_CLASS = Nefarious1735.class.getName();
+    
+    // Existing checks should kick in fine
+    public void testSimpleTypeCheck1735() throws Exception
+    {
+        try {
+            MAPPER.readValue(aposToQuotes(
+"{'w':{'type':'"+NEF_CLASS+"'}}"),
+                    Wrapper1735.class);
+            fail("Should not pass");
+        } catch (JsonMappingException e) {
+            verifyException(e, "not subtype of");
+        }
+    }
+
+    // but this was not being verified early enough
+    public void testNestedTypeCheck1735() throws Exception
+    {
+        try {
+            MAPPER.readValue(aposToQuotes(
+"{'w':{'type':'java.util.HashMap<java.lang.String,java.lang.String>'}}"),
+                    Wrapper1735.class);
+            fail("Should not pass");
+        } catch (JsonMappingException e) {
+            verifyException(e, "not subtype of");
+        }
+    }
+}