Add @JsonIgnore to transient AuthenticatorData fields

This fixes a crash in deserializing AuthenticatorData with `com.upokecenter:cbor` versions later than 4.0.1.
Yubico · Jan 28, 2022 · c07016c · c07016c
1 parent fd0b962
commit c07016c
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/NEWS b/NEWS
@@ -4,6 +4,8 @@ Fixes:
 
 * `com.upokecenter:cbor` dependency bumped to minimum version 4.5.1 due to a
   known vulnerability, see: https://github.com/advisories/GHSA-fj2w-wfgv-mwq6
+* Fixed crash in `AuthenticatorData` deserialization with `com.upokecenter:cbor`
+  versions later than 4.0.1
 
 
 == Version 1.12.1 ==

diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/data/AuthenticatorData.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/data/AuthenticatorData.java
@@ -25,6 +25,7 @@
 package com.yubico.webauthn.data;
 
 import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.core.JsonGenerator;
 import com.fasterxml.jackson.databind.SerializerProvider;
@@ -81,9 +82,9 @@ public class AuthenticatorData {
    *
    * @see #flags
    */
-  private final transient AttestedCredentialData attestedCredentialData;
+  @JsonIgnore private final transient AttestedCredentialData attestedCredentialData;
 
-  private final transient CBORObject extensions;
+  @JsonIgnore private final transient CBORObject extensions;
 
   private static final int RP_ID_HASH_INDEX = 0;
   private static final int RP_ID_HASH_END = RP_ID_HASH_INDEX + 32;