FasterXML#2208: Extract interface from SubTypeValidator. Provide new …

…implementation: ExtensibleSubTypeValidator.

src/main/java/com/fasterxml/jackson/databind/cfg/DeserializerFactoryConfig.java

@@ -2,7 +2,7 @@
 
 import com.fasterxml.jackson.databind.deser.*;
 import com.fasterxml.jackson.databind.deser.std.StdKeyDeserializers;
-import com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator;
+import com.fasterxml.jackson.databind.jsontype.SubTypeValidator;
 import com.fasterxml.jackson.databind.util.ArrayBuilders;
 import com.fasterxml.jackson.databind.util.ArrayIterator;
 
@@ -17,7 +17,7 @@ public class DeserializerFactoryConfig
     protected final static Deserializers[] NO_DESERIALIZERS = new Deserializers[0];
     protected final static BeanDeserializerModifier[] NO_MODIFIERS = new BeanDeserializerModifier[0];
     protected final static ValueInstantiators[] NO_VALUE_INSTANTIATORS = new ValueInstantiators[0];
-    private static final SubTypeValidator DEFAULT_SUBTYPE_VALIDATOR = SubTypeValidator.instance();
+    private static final SubTypeValidator DEFAULT_SUBTYPE_VALIDATOR = com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator.instance();
 
     /**
      * By default we plug default key deserializers using as "just another" set of

src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java

@@ -11,7 +11,6 @@
 import com.fasterxml.jackson.databind.exc.InvalidDefinitionException;
 import com.fasterxml.jackson.databind.introspect.*;
 import com.fasterxml.jackson.databind.jsontype.TypeDeserializer;
-import com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator;
 import com.fasterxml.jackson.databind.util.ClassUtil;
 import com.fasterxml.jackson.databind.util.SimpleBeanPropertyDefinition;
 

src/main/java/com/fasterxml/jackson/databind/jsontype/SubTypeValidator.java

@@ -0,0 +1,18 @@
+package com.fasterxml.jackson.databind.jsontype;
+
+import com.fasterxml.jackson.databind.BeanDescription;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.JavaType;
+import com.fasterxml.jackson.databind.JsonMappingException;
+
+/**
+ * Interface used to encapsulate rules that determine subtypes that
+ * are invalid to use, even with default typing, mostly due to security
+ * concerns.
+ * Used by <code>BeanDeserializerFactory</code>.
+ */
+public interface SubTypeValidator {
+
+    void validateSubType(DeserializationContext ctxt, JavaType type, BeanDescription beanDesc)
+        throws JsonMappingException;
+}

src/main/java/com/fasterxml/jackson/databind/jsontype/impl/ExtensibleSubTypeValidator.java

@@ -0,0 +1,17 @@
+package com.fasterxml.jackson.databind.jsontype.impl;
+
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
+public class ExtensibleSubTypeValidator extends SubTypeValidator
+{
+    public void addIllegalClassNames(Collection<String> classNames)
+    {
+        final Set<String> s = new HashSet<String>();
+        s.addAll(_cfgIllegalClassNames);
+        s.addAll(classNames);
+        _cfgIllegalClassNames = Collections.unmodifiableSet(s);
+    }
+}

src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

@@ -17,7 +17,7 @@
  *
  * @since 2.8.11
  */
-public class SubTypeValidator
+public class SubTypeValidator implements com.fasterxml.jackson.databind.jsontype.SubTypeValidator
 {
     protected final static String PREFIX_SPRING = "org.springframework.";
 
@@ -94,6 +94,7 @@ protected SubTypeValidator() { }
 
     public static SubTypeValidator instance() { return instance; }
 
+    @Override
     public void validateSubType(DeserializationContext ctxt, JavaType type,
             BeanDescription beanDesc) throws JsonMappingException
     {

src/test/java/com/fasterxml/jackson/databind/deser/TestCustomSubTypeValidator.java

@@ -1,5 +1,6 @@
 package com.fasterxml.jackson.databind.deser;
 
+import java.util.Collections;
 import java.util.List;
 
 import com.fasterxml.jackson.annotation.JsonTypeInfo;
@@ -12,7 +13,8 @@
 import com.fasterxml.jackson.databind.cfg.DeserializerFactoryConfig;
 import com.fasterxml.jackson.databind.exc.InvalidDefinitionException;
 import com.fasterxml.jackson.databind.json.JsonMapper;
-import com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator;
+import com.fasterxml.jackson.databind.jsontype.SubTypeValidator;
+import com.fasterxml.jackson.databind.jsontype.impl.ExtensibleSubTypeValidator;
 
 public class TestCustomSubTypeValidator 
     extends BaseMapTest
@@ -140,7 +142,7 @@ public static class Penguin extends Animal
      */
 
     static class DenyAllValidator
-        extends SubTypeValidator
+        implements SubTypeValidator
     {
         @Override
         public void validateSubType(DeserializationContext ctxt, JavaType type, BeanDescription beanDesc)
@@ -154,7 +156,7 @@ public void validateSubType(DeserializationContext ctxt, JavaType type, BeanDesc
     }
 
     static class FriendlyAnimalValidator
-        extends SubTypeValidator
+        extends com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator
     {
         private static Class<?>[] FRIENDLY_ANIMAL_WHITELIST = new Class<?>[] {
             Animal.class,
@@ -253,6 +255,56 @@ public void testDenyAllValidator() throws Exception
         }
     }
 
+    public void testExtensibleSubTypeValidatorNoPenguins() throws Exception
+    {
+        final ExtensibleSubTypeValidator validator = new ExtensibleSubTypeValidator();
+        validator.addIllegalClassNames(Collections.singleton("com.fasterxml.jackson.databind.deser.TestCustomSubTypeValidator$Penguin"));
+
+        final ObjectMapper mapper = objectMapper(validator);
+
+        // still deserializes primitive JSON types
+        mapper.readValue(STRING_VALUE_JSON, String.class);
+
+        // fails to deserialize, because the zoo has Penguins in it
+        while(true)
+        {
+            try {
+                mapper.readValue(ZOO_JSON, Zoo.class);
+            } catch(InvalidDefinitionException e) {
+                break;
+            }
+            fail("Expected InvalidDefinitionException, but got none.");
+        }
+
+        // deserializes successfully, because the petting zoo has no Penguins in it
+        mapper.readValue(PETTING_ZOO_JSON, Zoo.class);
+    }
+
+    public void testExtensibleSubTypeValidatorNoSheep() throws Exception
+    {
+        final ExtensibleSubTypeValidator validator = new ExtensibleSubTypeValidator();
+        validator.addIllegalClassNames(Collections.singleton("com.fasterxml.jackson.databind.deser.TestCustomSubTypeValidator$Sheep"));
+
+        final ObjectMapper mapper = objectMapper(validator);
+
+        // still deserializes primitive JSON types
+        mapper.readValue(STRING_VALUE_JSON, String.class);
+
+        // deserializes successfully, because the zoo has no Sheep in it
+        mapper.readValue(ZOO_JSON, Zoo.class);
+
+        // fails to deserialize, because the petting zoo has Sheep in it
+        while(true)
+        {
+            try {
+                mapper.readValue(PETTING_ZOO_JSON, Zoo.class);
+            } catch(InvalidDefinitionException e) {
+                break;
+            }
+            fail("Expected InvalidDefinitionException, but got none.");
+        }
+    }
+
     public void testFriendlyAnimalValidator() throws Exception
     {
         final ObjectMapper mapper = objectMapper(new FriendlyAnimalValidator());