MNT-21871 : [Security] Multiple jackson-databind vulnerabilities (#33)

- upgrade to 2.11.2 - reconfigure object mapper with different inclusion criteria for value and contents - add test for custom model with no aspects, types or constraints - verifying https://issues.alfresco.com/jira/browse/APPS-560
2025-07-24 17:32:48 +00:00 · 2020-10-15 10:15:38 +03:00
parent 123cd3d22f
commit a4c70b772c
3 changed files with 32 additions and 4 deletions
--- a/remote-api/src/main/java/org/alfresco/rest/framework/jacksonextensions/JacksonHelper.java
+++ b/remote-api/src/main/java/org/alfresco/rest/framework/jacksonextensions/JacksonHelper.java
@@ -82,9 +82,8 @@ public class JacksonHelper implements InitializingBean
        //Configure the objectMapper ready for use
        objectMapper = new ObjectMapper();
        objectMapper.registerModule(module);
-        objectMapper.setDefaultPropertyInclusion(JsonInclude.Include.NON_EMPTY);
-        objectMapper.configOverride(java.util.Map.class)
-                        .setInclude(JsonInclude.Value.construct(JsonInclude.Include.NON_EMPTY, null));
+        objectMapper.setDefaultPropertyInclusion(
+            JsonInclude.Value.construct(JsonInclude.Include.NON_EMPTY, JsonInclude.Include.ALWAYS));
        objectMapper.configure(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS, false);
        DateFormat DATE_FORMAT_ISO8601 = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ");
        DATE_FORMAT_ISO8601.setTimeZone(TimeZone.getTimeZone("UTC"));
--- a/remote-api/src/test/java/org/alfresco/rest/api/tests/TestCustomTypeAspect.java
+++ b/remote-api/src/test/java/org/alfresco/rest/api/tests/TestCustomTypeAspect.java
@@ -59,6 +59,35 @@ import org.junit.Test;
 */
 public class TestCustomTypeAspect extends BaseCustomModelApiTest
 {
+    @Test
+    public void testCreateCustomModel() throws Exception
+    {
+        setRequestContext(customModelAdmin);
+
+        String modelName = "testModel" + System.currentTimeMillis();
+        Pair<String, String> namespacePair = getTestNamespaceUriPrefixPair();
+        // Create the model as a Model Administrator
+        createCustomModel(modelName, namespacePair, ModelStatus.ACTIVE);
+
+        // Retrieve the created model
+        HttpResponse response = getSingle("cmm", modelName, 200);
+        CustomModel returnedModel = RestApiUtil
+            .parseRestApiEntry(response.getJsonResponse(), CustomModel.class);
+        assertNull(returnedModel.getTypes());
+        assertNull(returnedModel.getAspects());
+
+        // Retrieve the created model with its types and aspects 
+        // - empty arrays expected as we did not set any aspects, types or constraints
+        response = getSingle("cmm", modelName + SELECT_ALL, 200);
+        returnedModel = RestApiUtil
+            .parseRestApiEntry(response.getJsonResponse(), CustomModel.class);
+        assertNotNull(returnedModel.getTypes());
+        assertTrue(returnedModel.getTypes().isEmpty());
+        assertNotNull(returnedModel.getAspects());
+        assertTrue(returnedModel.getAspects().isEmpty());
+        assertNotNull(returnedModel.getConstraints());
+        assertTrue(returnedModel.getConstraints().isEmpty());
+    }

    @Test
    public void testCreateAspectsAndTypes_ExistingModel() throws Exception