Upgraded jackson dependency to 2.8.8 - CVE-2016-7051. Issue #1264. Re…

…ported by Philippe Perrault.
restlet · May 27, 2017 · 7340432 · 7340432
1 parent c9f6dff
commit 7340432
Show file tree

Hide file tree

Showing 27 changed files with 20 additions and 9 deletions.
diff --git a/build/tmpl/text/changes.txt b/build/tmpl/text/changes.txt
@@ -5,6 +5,9 @@ Changes log
 
 
 @version-full@ (@release-date@)
+    - Vulnerabilities fixed
+       - Upgraded jackson dependency to 2.8.8 - CVE-2016-7051. Issue #1264.
+         Reported by Philippe Perrault.
     - Bugs fixed
        - Invalid max-age value for cookie settings replaced by Integer.MAX_VALUE constant. Issue #1251.
          Reported by Chad Gatesman.

diff --git a/libraries/com.fasterxml.jackson_2.4/com.fasterxml.jackson.annotations.jar b/libraries/com.fasterxml.jackson_2.4/com.fasterxml.jackson.annotations.jar
diff --git a/libraries/com.fasterxml.jackson_2.4/com.fasterxml.jackson.core.jar b/libraries/com.fasterxml.jackson_2.4/com.fasterxml.jackson.core.jar
diff --git a/libraries/com.fasterxml.jackson_2.4/com.fasterxml.jackson.csv.jar b/libraries/com.fasterxml.jackson_2.4/com.fasterxml.jackson.csv.jar
diff --git a/libraries/com.fasterxml.jackson_2.4/com.fasterxml.jackson.databind.jar b/libraries/com.fasterxml.jackson_2.4/com.fasterxml.jackson.databind.jar
diff --git a/libraries/com.fasterxml.jackson_2.4/com.fasterxml.jackson.jaxb.jar b/libraries/com.fasterxml.jackson_2.4/com.fasterxml.jackson.jaxb.jar
diff --git a/libraries/com.fasterxml.jackson_2.4/com.fasterxml.jackson.jsonschema.jar b/libraries/com.fasterxml.jackson_2.4/com.fasterxml.jackson.jsonschema.jar
diff --git a/libraries/com.fasterxml.jackson_2.4/com.fasterxml.jackson.smile.jar b/libraries/com.fasterxml.jackson_2.4/com.fasterxml.jackson.smile.jar
diff --git a/libraries/com.fasterxml.jackson_2.4/com.fasterxml.jackson.xml.jar b/libraries/com.fasterxml.jackson_2.4/com.fasterxml.jackson.xml.jar
diff --git a/libraries/com.fasterxml.jackson_2.4/com.fasterxml.jackson.yaml.jar b/libraries/com.fasterxml.jackson_2.4/com.fasterxml.jackson.yaml.jar
diff --git a/...ries/com.fasterxml.jackson_2.4/.classpath → ...ries/com.fasterxml.jackson_2.8/.classpath b/...ries/com.fasterxml.jackson_2.4/.classpath → ...ries/com.fasterxml.jackson_2.8/.classpath
diff --git a/...ries/com.fasterxml.jackson_2.4/.gitignore → ...ries/com.fasterxml.jackson_2.8/.gitignore b/...ries/com.fasterxml.jackson_2.4/.gitignore → ...ries/com.fasterxml.jackson_2.8/.gitignore
diff --git a/libraries/com.fasterxml.jackson_2.4/.project → libraries/com.fasterxml.jackson_2.8/.project b/libraries/com.fasterxml.jackson_2.4/.project → libraries/com.fasterxml.jackson_2.8/.project
diff --git a/libraries/com.fasterxml.jackson_2.8/com.fasterxml.jackson.annotations.jar b/libraries/com.fasterxml.jackson_2.8/com.fasterxml.jackson.annotations.jar
diff --git a/libraries/com.fasterxml.jackson_2.8/com.fasterxml.jackson.core.jar b/libraries/com.fasterxml.jackson_2.8/com.fasterxml.jackson.core.jar
diff --git a/libraries/com.fasterxml.jackson_2.8/com.fasterxml.jackson.csv.jar b/libraries/com.fasterxml.jackson_2.8/com.fasterxml.jackson.csv.jar
diff --git a/libraries/com.fasterxml.jackson_2.8/com.fasterxml.jackson.databind.jar b/libraries/com.fasterxml.jackson_2.8/com.fasterxml.jackson.databind.jar
diff --git a/libraries/com.fasterxml.jackson_2.8/com.fasterxml.jackson.jaxb.jar b/libraries/com.fasterxml.jackson_2.8/com.fasterxml.jackson.jaxb.jar
diff --git a/libraries/com.fasterxml.jackson_2.8/com.fasterxml.jackson.jsonschema.jar b/libraries/com.fasterxml.jackson_2.8/com.fasterxml.jackson.jsonschema.jar
diff --git a/libraries/com.fasterxml.jackson_2.8/com.fasterxml.jackson.smile.jar b/libraries/com.fasterxml.jackson_2.8/com.fasterxml.jackson.smile.jar
diff --git a/libraries/com.fasterxml.jackson_2.8/com.fasterxml.jackson.xml.jar b/libraries/com.fasterxml.jackson_2.8/com.fasterxml.jackson.xml.jar
diff --git a/libraries/com.fasterxml.jackson_2.8/com.fasterxml.jackson.yaml.jar b/libraries/com.fasterxml.jackson_2.8/com.fasterxml.jackson.yaml.jar
diff --git a/...ies/com.fasterxml.jackson_2.4/library.xml → ...ies/com.fasterxml.jackson_2.8/library.xml b/...ies/com.fasterxml.jackson_2.4/library.xml → ...ies/com.fasterxml.jackson_2.8/library.xml
@@ -1,8 +1,8 @@
 <library id="jackson" symbolicName="com.fasterxml.jackson">
 	<name>High-performance JSON processor</name>
 	<description>High-performance JSON processor</description>
-	<version>2.4</version>
-	<release>4</release>
+	<version>2.8</version>
+	<release>8</release>
 	<homeUri>http://jackson.codehaus.org/</homeUri>
 	<downloadUri>http://wiki.fasterxml.com/JacksonDownload</downloadUri>
 	<provider>The Codehaus foundation</provider>

diff --git a/...ies/com.fasterxml.jackson_2.4/license.txt → ...ies/com.fasterxml.jackson_2.8/license.txt b/...ies/com.fasterxml.jackson_2.4/license.txt → ...ies/com.fasterxml.jackson_2.8/license.txt
diff --git a/...ries/com.fasterxml.jackson_2.4/readme.txt → ...ries/com.fasterxml.jackson_2.8/readme.txt b/...ries/com.fasterxml.jackson_2.4/readme.txt → ...ries/com.fasterxml.jackson_2.8/readme.txt
diff --git a/.../org/restlet/ext/apispark/internal/introspection/application/RepresentationCollector.java b/.../org/restlet/ext/apispark/internal/introspection/application/RepresentationCollector.java
@@ -50,6 +50,9 @@
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonPropertyDescription;
 import com.fasterxml.jackson.annotation.JsonRootName;
+import com.fasterxml.jackson.databind.JavaType;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.SerializationConfig;
 import com.fasterxml.jackson.databind.introspect.AnnotatedClass;
 import com.fasterxml.jackson.databind.introspect.JacksonAnnotationIntrospector;
 
@@ -118,10 +121,12 @@ public static void addRepresentation(CollectInfo collectInfo,
             if (typeInfo.isPojo()) {
                 // add properties definition
 
-                BeanInfo beanInfo = BeanInfoUtils.getBeanInfo(typeInfo
-                        .getRepresentationClazz());
+                BeanInfo beanInfo = BeanInfoUtils.getBeanInfo(typeInfo.getRepresentationClazz());
 
-                JsonIgnoreProperties jsonIgnorePropertiesAnnotation = AnnotatedClass.construct(typeInfo.getRepresentationClazz(), new JacksonAnnotationIntrospector(), null).getAnnotation(JsonIgnoreProperties.class);
+                ObjectMapper mapper = new ObjectMapper();
+                JsonIgnoreProperties jsonIgnorePropertiesAnnotation = AnnotatedClass
+                        .construct(mapper.constructType(typeInfo.getRepresentationClazz()), mapper.getSerializationConfig())
+                        .getAnnotation(JsonIgnoreProperties.class);
                 List<String> jsonIgnoreProperties = jsonIgnorePropertiesAnnotation == null ? null : Arrays.asList(jsonIgnorePropertiesAnnotation.value());
 
                 for (PropertyDescriptor pd : beanInfo.getPropertyDescriptors()) {

diff --git a/...apispark/src/org/restlet/ext/apispark/internal/introspection/jaxrs/JaxRsIntrospector.java b/...apispark/src/org/restlet/ext/apispark/internal/introspection/jaxrs/JaxRsIntrospector.java
@@ -91,6 +91,9 @@
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonPropertyDescription;
 import com.fasterxml.jackson.annotation.JsonRootName;
+import com.fasterxml.jackson.databind.JavaType;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.SerializationConfig;
 import com.fasterxml.jackson.databind.introspect.AnnotatedClass;
 import com.fasterxml.jackson.databind.introspect.JacksonAnnotationIntrospector;
 
@@ -334,12 +337,12 @@ private static void addRepresentation(CollectInfo collectInfo,
 
             if (typeInfo.isPojo()) {
                 // add properties definition
-                BeanInfo beanInfo = BeanInfoUtils.getBeanInfo(typeInfo
-                        .getRepresentationClazz());
+                BeanInfo beanInfo = BeanInfoUtils.getBeanInfo(typeInfo.getRepresentationClazz());
 
+
+                ObjectMapper mapper = new ObjectMapper();
                 JsonIgnoreProperties jsonIgnorePropertiesAnnotation = AnnotatedClass
-                        .construct(typeInfo.getRepresentationClazz(),
-                                new JacksonAnnotationIntrospector(), null)
+                        .construct(mapper.constructType(typeInfo.getRepresentationClazz()), mapper.getSerializationConfig())
                         .getAnnotation(JsonIgnoreProperties.class);
                 List<String> jsonIgnoreProperties = jsonIgnorePropertiesAnnotation == null ? null
                         : Arrays.asList(jsonIgnorePropertiesAnnotation.value());