inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-24 17:32:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

MNT-21871 : [Security] Multiple jackson-databind vulnerabilities (#33)

Browse Source 
- upgrade to 2.11.2
   - reconfigure object mapper with different inclusion criteria for value and contents
   - add test for custom model with no aspects, types or constraints - verifying https://issues.alfresco.com/jira/browse/APPS-560
This commit is contained in:
Denis Ungureanu
2020-10-15 10:15:38 +03:00
committed by GitHub
parent 123cd3d22f
commit a4c70b772c
3 changed files with 32 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pom.xml
View File

@@ -59,7 +59,7 @@
<dependency.spring.version>5.2.9.RELEASE</dependency.spring.version> <dependency.spring.version>5.2.9.RELEASE</dependency.spring.version>
<dependency.antlr.version>3.5.2</dependency.antlr.version> <dependency.antlr.version>3.5.2</dependency.antlr.version>
<dependency.jackson.version>2.11.2</dependency.jackson.version> <dependency.jackson.version>2.11.2</dependency.jackson.version>
<dependency.jackson-databind.version>2.10.1</dependency.jackson-databind.version> <dependency.jackson-databind.version>2.11.2</dependency.jackson-databind.version>
<dependency.cxf.version>3.3.7</dependency.cxf.version> <dependency.cxf.version>3.3.7</dependency.cxf.version>
<dependency.opencmis.version>1.0.0</dependency.opencmis.version> <dependency.opencmis.version>1.0.0</dependency.opencmis.version>
<dependency.pdfbox.version>2.0.21</dependency.pdfbox.version> <dependency.pdfbox.version>2.0.21</dependency.pdfbox.version>

5
remote-api/src/main/java/org/alfresco/rest/framework/jacksonextensions/JacksonHelper.java
View File

@@ -82,9 +82,8 @@ public class JacksonHelper implements InitializingBean
//Configure the objectMapper ready for use //Configure the objectMapper ready for use
objectMapper = new ObjectMapper(); objectMapper = new ObjectMapper();
objectMapper.registerModule(module); objectMapper.registerModule(module);
objectMapper.setDefaultPropertyInclusion(JsonInclude.Include.NON_EMPTY); objectMapper.setDefaultPropertyInclusion(
objectMapper.configOverride(java.util.Map.class) JsonInclude.Value.construct(JsonInclude.Include.NON_EMPTY, JsonInclude.Include.ALWAYS));
.setInclude(JsonInclude.Value.construct(JsonInclude.Include.NON_EMPTY, null));
objectMapper.configure(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS, false); objectMapper.configure(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS, false);
DateFormat DATE_FORMAT_ISO8601 = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ"); DateFormat DATE_FORMAT_ISO8601 = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ");
DATE_FORMAT_ISO8601.setTimeZone(TimeZone.getTimeZone("UTC")); DATE_FORMAT_ISO8601.setTimeZone(TimeZone.getTimeZone("UTC"));

29
remote-api/src/test/java/org/alfresco/rest/api/tests/TestCustomTypeAspect.java
View File

@@ -59,6 +59,35 @@ import org.junit.Test;
*/ */
public class TestCustomTypeAspect extends BaseCustomModelApiTest public class TestCustomTypeAspect extends BaseCustomModelApiTest
{ {
@Test
public void testCreateCustomModel() throws Exception
{
setRequestContext(customModelAdmin);
String modelName = "testModel" + System.currentTimeMillis();
Pair<String, String> namespacePair = getTestNamespaceUriPrefixPair();
// Create the model as a Model Administrator
createCustomModel(modelName, namespacePair, ModelStatus.ACTIVE);
// Retrieve the created model
HttpResponse response = getSingle("cmm", modelName, 200);
CustomModel returnedModel = RestApiUtil
.parseRestApiEntry(response.getJsonResponse(), CustomModel.class);
assertNull(returnedModel.getTypes());
assertNull(returnedModel.getAspects());
// Retrieve the created model with its types and aspects
// - empty arrays expected as we did not set any aspects, types or constraints
response = getSingle("cmm", modelName + SELECT_ALL, 200);
returnedModel = RestApiUtil
.parseRestApiEntry(response.getJsonResponse(), CustomModel.class);
assertNotNull(returnedModel.getTypes());
assertTrue(returnedModel.getTypes().isEmpty());
assertNotNull(returnedModel.getAspects());
assertTrue(returnedModel.getAspects().isEmpty());
assertNotNull(returnedModel.getConstraints());
assertTrue(returnedModel.getConstraints().isEmpty());
}
@Test @Test
public void testCreateAspectsAndTypes_ExistingModel() throws Exception public void testCreateAspectsAndTypes_ExistingModel() throws Exception