MNT-21871 : [Security] Multiple jackson-databind vulnerabilities (#33)

- upgrade to 2.11.2
   - reconfigure object mapper with different inclusion criteria for value and contents
   - add test for custom model with no aspects, types or constraints - verifying https://issues.alfresco.com/jira/browse/APPS-560

pom.xml

@@ -59,7 +59,7 @@
         <dependency.spring.version>5.2.9.RELEASE</dependency.spring.version>
         <dependency.antlr.version>3.5.2</dependency.antlr.version>
         <dependency.jackson.version>2.11.2</dependency.jackson.version>
-        <dependency.jackson-databind.version>2.10.1</dependency.jackson-databind.version>
+        <dependency.jackson-databind.version>2.11.2</dependency.jackson-databind.version>
         <dependency.cxf.version>3.3.7</dependency.cxf.version>
         <dependency.opencmis.version>1.0.0</dependency.opencmis.version>
         <dependency.pdfbox.version>2.0.21</dependency.pdfbox.version>

remote-api/src/main/java/org/alfresco/rest/framework/jacksonextensions/JacksonHelper.java

@@ -82,9 +82,8 @@ public class JacksonHelper implements InitializingBean
         //Configure the objectMapper ready for use
         objectMapper = new ObjectMapper();
         objectMapper.registerModule(module);
-        objectMapper.setDefaultPropertyInclusion(JsonInclude.Include.NON_EMPTY);
-        objectMapper.configOverride(java.util.Map.class)
-                        .setInclude(JsonInclude.Value.construct(JsonInclude.Include.NON_EMPTY, null));
+        objectMapper.setDefaultPropertyInclusion(
+            JsonInclude.Value.construct(JsonInclude.Include.NON_EMPTY, JsonInclude.Include.ALWAYS));
         objectMapper.configure(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS, false);
         DateFormat DATE_FORMAT_ISO8601 = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ");
         DATE_FORMAT_ISO8601.setTimeZone(TimeZone.getTimeZone("UTC"));

remote-api/src/test/java/org/alfresco/rest/api/tests/TestCustomTypeAspect.java

@@ -59,6 +59,35 @@ import org.junit.Test;
  */
 public class TestCustomTypeAspect extends BaseCustomModelApiTest
 {
+    @Test
+    public void testCreateCustomModel() throws Exception
+    {
+        setRequestContext(customModelAdmin);
+
+        String modelName = "testModel" + System.currentTimeMillis();
+        Pair<String, String> namespacePair = getTestNamespaceUriPrefixPair();
+        // Create the model as a Model Administrator
+        createCustomModel(modelName, namespacePair, ModelStatus.ACTIVE);
+
+        // Retrieve the created model
+        HttpResponse response = getSingle("cmm", modelName, 200);
+        CustomModel returnedModel = RestApiUtil
+            .parseRestApiEntry(response.getJsonResponse(), CustomModel.class);
+        assertNull(returnedModel.getTypes());
+        assertNull(returnedModel.getAspects());
+
+        // Retrieve the created model with its types and aspects 
+        // - empty arrays expected as we did not set any aspects, types or constraints
+        response = getSingle("cmm", modelName + SELECT_ALL, 200);
+        returnedModel = RestApiUtil
+            .parseRestApiEntry(response.getJsonResponse(), CustomModel.class);
+        assertNotNull(returnedModel.getTypes());
+        assertTrue(returnedModel.getTypes().isEmpty());
+        assertNotNull(returnedModel.getAspects());
+        assertTrue(returnedModel.getAspects().isEmpty());
+        assertNotNull(returnedModel.getConstraints());
+        assertTrue(returnedModel.getConstraints().isEmpty());
+    }
 
     @Test
     public void testCreateAspectsAndTypes_ExistingModel() throws Exception