MNSTR-5023 backport security fix from jackson2 - Block one more gadget type (org.glassfish.web/javax.servlet.jsp.jstl, CVE-2020-35728)

Merged from FasterXML/jackson-databind#2999

Author: tkanafa-atlassian

release-notes/VERSION

@@ -77,6 +77,7 @@ One more patch release for 1.9.
 * [databind#2996]: Block 2 more gadget types (newrelic-agent, CVE-2020-36188/CVE-2020-36189)
 * [databind#2997]: Block 2 more gadget types (tomcat/naming-factory-dbcp, CVE-2020-36186/CVE-2020-36187)
 * [databind#2998]: Block 2 more gadget types (org.apache.tomcat/tomcat-dbcp, CVE-2020-36184/CVE-2020-36185)
+* [databind#2999]: Block one more gadget type (org.glassfish.web/javax.servlet.jsp.jstl, CVE-2020-35728)
 
 
 1.9.13 (14-Jul-2013)

src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java

@@ -216,6 +216,10 @@ public class SubTypeValidator
         s.add("org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource");
         s.add("org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource");
 
+        // [databind#2999]: org.glassfish.web/javax.servlet.jsp.jstl (embedded Xalan)
+        // (derivative of #2469)
+        s.add("com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }