fix: merge fix from 2.9 branch FasterXML#2653 FasterXML#2658 FasterXML#2659 FasterXML#2660 FasterXML#2662 FasterXML#2664 FasterXML#2666 FasterXML#2670 FasterXML#2680 FasterXML#2682 FasterXML#2688 FasterXML#2698 FasterXML#2704 FasterXML#2765 FasterXML#2798 FasterXML#2814 FasterXML#2826 FasterXML#2827 FasterXML#2854

qxo · qxo · commit 7e70e8ed25d5 · 2020-09-21T20:12:15.000+08:00
1. generated diff CVE diff git diff ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java 2. cleanup the diff ,just remain the CVE change 3. apply the diff 4. check and make sure only commit the AutoType CVE change. ``` PR_LIST=$(git log1 -n 17 ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | awk -F'[ ,]+' '{for(i=1;i<=NF;i++){a=$(i);if(match(a,/#[0-9]+/)){print a;}}}' | sort | uniq);echo "$PR_LIST" | wc -l echo $PR_LIST ```
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -48,6 +48,9 @@ public class SubTypeValidator
         // [databind#1737]; 3rd party
 //s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
         s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+        // [databind#2680]
+        s.add("org.springframework.aop.config.MethodLocatingFactoryBean");
+        s.add("org.springframework.beans.factory.config.BeanReferenceFactoryBean");
 
 // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
 // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
@@ -73,24 +76,26 @@ public class SubTypeValidator
         s.add("com.sun.deploy.security.ruleset.DRSHelper");
         s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl");
 
-        // [databind#2186]: yet more 3rd party gadgets
+        // [databind#2186], [databind#2670]: yet more 3rd party gadgets
         s.add("org.jboss.util.propertyeditor.DocumentEditor");
         s.add("org.apache.openjpa.ee.RegistryManagedRuntime");
         s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
-        s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");   
-        
-        // [databind#2326] (2.7.9.6): one more 3rd party gadget
+        s.add("org.apache.openjpa.ee.WASRegistryManagedRuntime"); // [#2670] addition
+        s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
+
+        // [databind#2326] (2.9.9)
         s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
 
-        // [databind#2334]: logback-core
+        // [databind#2334]: logback-core (2.9.9.1)
         s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
 
-        // [databind#2341]: jdom/jdom2
+        // [databind#2341]: jdom/jdom2 (2.9.9.1)
         s.add("org.jdom.transform.XSLTransformer");
         s.add("org.jdom2.transform.XSLTransformer");
 
-        // [databind#2387]: EHCache
+        // [databind#2387], [databind#2460]: EHCache
         s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");
+        s.add("net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup");
 
         // [databind#2389]: logback/jndi
         s.add("ch.qos.logback.core.db.JNDIConnectionSource");
@@ -107,8 +112,10 @@ public class SubTypeValidator
         s.add("org.apache.commons.configuration.JNDIConfiguration");
         s.add("org.apache.commons.configuration2.JNDIConfiguration");
 
-        // [databind#2469]: xalan2
+        // [databind#2469]: xalan
         s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
+        // [databind#2704]: xalan2
+        s.add("com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool");
 
         // [databind#2478]: comons-dbcp, p6spy
         s.add("org.apache.commons.dbcp.datasources.PerUserPoolDataSource");
@@ -129,15 +136,75 @@ public class SubTypeValidator
         // [databind#2631]: shaded hikari-config
         s.add("org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig");
 
-        // [databind#2634]: ibatis-sqlmap, anteros-core
+        // [databind#2634]: ibatis-sqlmap, anteros-core/-dbcp
         s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig");
         s.add("br.com.anteros.dbcp.AnterosDBCPConfig");
+        // [databind#2814]: anteros-dbcp
+        s.add("br.com.anteros.dbcp.AnterosDBCPDataSource");
 
-        // [databind#2642]: javax.swing (jdk)
+        // [databind#2642][databind#2854]: javax.swing (jdk)
         s.add("javax.swing.JEditorPane");
+        s.add("javax.swing.JTextPane");
 
-        // [databind#2648]: shire-core
+        // [databind#2648], [databind#2653]: shire-core
         s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
+        s.add("org.apache.shiro.jndi.JndiObjectFactory");
+
+        // [databind#2658]: ignite-jta (, quartz-core)
+        s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup");
+        s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory");
+        s.add("org.quartz.utils.JNDIConnectionProvider");
+
+        // [databind#2659]: aries.transaction.jms
+        s.add("org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory");
+        s.add("org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory");
+
+        // [databind#2660]: caucho-quercus
+        s.add("com.caucho.config.types.ResourceRef");
+
+        // [databind#2662]: aoju/bus-proxy
+        s.add("org.aoju.bus.proxy.provider.RmiProvider");
+        s.add("org.aoju.bus.proxy.provider.remoting.RmiProvider");
+
+        // [databind#2664]: activemq-core, activemq-pool, activemq-pool-jms
+
+        s.add("org.apache.activemq.ActiveMQConnectionFactory"); // core
+        s.add("org.apache.activemq.ActiveMQXAConnectionFactory");
+        s.add("org.apache.activemq.spring.ActiveMQConnectionFactory");
+        s.add("org.apache.activemq.spring.ActiveMQXAConnectionFactory");
+        s.add("org.apache.activemq.pool.JcaPooledConnectionFactory"); // pool
+        s.add("org.apache.activemq.pool.PooledConnectionFactory");
+        s.add("org.apache.activemq.pool.XaPooledConnectionFactory");
+        s.add("org.apache.activemq.jms.pool.XaPooledConnectionFactory"); // pool-jms
+        s.add("org.apache.activemq.jms.pool.JcaPooledConnectionFactory");
+        
+        // [databind#2666]: apache/commons-jms
+        s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");
+
+        // [databind#2682]: commons-jelly
+        s.add("org.apache.commons.jelly.impl.Embedded");
+
+        // [databind#2688]: apache/drill
+        s.add("oadd.org.apache.xalan.lib.sql.JNDIConnectionPool");
+
+        // [databind#2698]: weblogic w/ oracle/aq-jms
+        // (note: dependency not available via Maven Central, but as part of
+        // weblogic installation, possibly fairly old version(s))
+        s.add("oracle.jms.AQjmsQueueConnectionFactory");
+        s.add("oracle.jms.AQjmsXATopicConnectionFactory");
+        s.add("oracle.jms.AQjmsTopicConnectionFactory");
+        s.add("oracle.jms.AQjmsXAQueueConnectionFactory");
+        s.add("oracle.jms.AQjmsXAConnectionFactory");
+
+        // [databind#2764]: org.jsecurity:
+        s.add("org.jsecurity.realm.jndi.JndiRealmFactory");
+
+        // [databind#2798]: com.pastdev.httpcomponents:
+        s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration");
+
+        // [databind#2826], [databind#2827]
+        s.add("com.nqadmin.rowset.JdbcRowSetImpl");
+        s.add("org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl");
 
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
