Skip to content

Commit

Permalink
fix: merge fix from 2.9 branch #2653 #2658 #2659 #2660 #2662 #2664 #2666
Browse files Browse the repository at this point in the history
 #2670 #2680 #2682 #2688 #2698 #2704 #2765 #2798 #2814 #2826 #2827 #2854 (#2858)

1. generated diff CVE diff
git diff ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

2. cleanup the diff ,just remain the CVE change

3. apply the diff

4. check and make sure only commit the AutoType CVE change.

```
PR_LIST=$(git log1 -n 17 ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | awk -F'[ ,]+' '{for(i=1;i<=NF;i++){a=$(i);if(match(a,/#[0-9]+/)){print a;}}}' | sort | uniq);echo "$PR_LIST" | wc -l
echo $PR_LIST
```
  • Loading branch information
qxo authored Sep 22, 2020
1 parent d52f91e commit 08fbfac
Showing 1 changed file with 78 additions and 11 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,9 @@ public class SubTypeValidator
// [databind#1737]; 3rd party
//s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
// [databind#2680]
s.add("org.springframework.aop.config.MethodLocatingFactoryBean");
s.add("org.springframework.beans.factory.config.BeanReferenceFactoryBean");

// s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
// s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
Expand All @@ -73,24 +76,26 @@ public class SubTypeValidator
s.add("com.sun.deploy.security.ruleset.DRSHelper");
s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl");

// [databind#2186]: yet more 3rd party gadgets
// [databind#2186], [databind#2670]: yet more 3rd party gadgets
s.add("org.jboss.util.propertyeditor.DocumentEditor");
s.add("org.apache.openjpa.ee.RegistryManagedRuntime");
s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");

// [databind#2326] (2.7.9.6): one more 3rd party gadget
s.add("org.apache.openjpa.ee.WASRegistryManagedRuntime"); // [#2670] addition
s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");

// [databind#2326] (2.9.9)
s.add("com.mysql.cj.jdbc.admin.MiniAdmin");

// [databind#2334]: logback-core
// [databind#2334]: logback-core (2.9.9.1)
s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");

// [databind#2341]: jdom/jdom2
// [databind#2341]: jdom/jdom2 (2.9.9.1)
s.add("org.jdom.transform.XSLTransformer");
s.add("org.jdom2.transform.XSLTransformer");

// [databind#2387]: EHCache
// [databind#2387], [databind#2460]: EHCache
s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");
s.add("net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup");

// [databind#2389]: logback/jndi
s.add("ch.qos.logback.core.db.JNDIConnectionSource");
Expand All @@ -107,8 +112,10 @@ public class SubTypeValidator
s.add("org.apache.commons.configuration.JNDIConfiguration");
s.add("org.apache.commons.configuration2.JNDIConfiguration");

// [databind#2469]: xalan2
// [databind#2469]: xalan
s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
// [databind#2704]: xalan2
s.add("com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool");

// [databind#2478]: comons-dbcp, p6spy
s.add("org.apache.commons.dbcp.datasources.PerUserPoolDataSource");
Expand All @@ -129,15 +136,75 @@ public class SubTypeValidator
// [databind#2631]: shaded hikari-config
s.add("org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig");

// [databind#2634]: ibatis-sqlmap, anteros-core
// [databind#2634]: ibatis-sqlmap, anteros-core/-dbcp
s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig");
s.add("br.com.anteros.dbcp.AnterosDBCPConfig");
// [databind#2814]: anteros-dbcp
s.add("br.com.anteros.dbcp.AnterosDBCPDataSource");

// [databind#2642]: javax.swing (jdk)
// [databind#2642][databind#2854]: javax.swing (jdk)
s.add("javax.swing.JEditorPane");
s.add("javax.swing.JTextPane");

// [databind#2648]: shire-core
// [databind#2648], [databind#2653]: shire-core
s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
s.add("org.apache.shiro.jndi.JndiObjectFactory");

// [databind#2658]: ignite-jta (, quartz-core)
s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup");
s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory");
s.add("org.quartz.utils.JNDIConnectionProvider");

// [databind#2659]: aries.transaction.jms
s.add("org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory");
s.add("org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory");

// [databind#2660]: caucho-quercus
s.add("com.caucho.config.types.ResourceRef");

// [databind#2662]: aoju/bus-proxy
s.add("org.aoju.bus.proxy.provider.RmiProvider");
s.add("org.aoju.bus.proxy.provider.remoting.RmiProvider");

// [databind#2664]: activemq-core, activemq-pool, activemq-pool-jms

s.add("org.apache.activemq.ActiveMQConnectionFactory"); // core
s.add("org.apache.activemq.ActiveMQXAConnectionFactory");
s.add("org.apache.activemq.spring.ActiveMQConnectionFactory");
s.add("org.apache.activemq.spring.ActiveMQXAConnectionFactory");
s.add("org.apache.activemq.pool.JcaPooledConnectionFactory"); // pool
s.add("org.apache.activemq.pool.PooledConnectionFactory");
s.add("org.apache.activemq.pool.XaPooledConnectionFactory");
s.add("org.apache.activemq.jms.pool.XaPooledConnectionFactory"); // pool-jms
s.add("org.apache.activemq.jms.pool.JcaPooledConnectionFactory");

// [databind#2666]: apache/commons-jms
s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");

// [databind#2682]: commons-jelly
s.add("org.apache.commons.jelly.impl.Embedded");

// [databind#2688]: apache/drill
s.add("oadd.org.apache.xalan.lib.sql.JNDIConnectionPool");

// [databind#2698]: weblogic w/ oracle/aq-jms
// (note: dependency not available via Maven Central, but as part of
// weblogic installation, possibly fairly old version(s))
s.add("oracle.jms.AQjmsQueueConnectionFactory");
s.add("oracle.jms.AQjmsXATopicConnectionFactory");
s.add("oracle.jms.AQjmsTopicConnectionFactory");
s.add("oracle.jms.AQjmsXAQueueConnectionFactory");
s.add("oracle.jms.AQjmsXAConnectionFactory");

// [databind#2764]: org.jsecurity:
s.add("org.jsecurity.realm.jndi.JndiRealmFactory");

// [databind#2798]: com.pastdev.httpcomponents:
s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration");

// [databind#2826], [databind#2827]
s.add("com.nqadmin.rowset.JdbcRowSetImpl");
s.add("org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl");

DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}
Expand Down

0 comments on commit 08fbfac

Please sign in to comment.