From 1687b022f2b22bba498fc383b04a44843647dc9b Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Wed, 14 Apr 2021 18:42:16 -0700 Subject: [PATCH] Fix #3117 --- release-notes/VERSION-2.x | 1 + .../databind/cfg/MapperConfigBase.java | 14 ++++++++-- .../introspect/VisibilityChecker.java | 27 ++++++++++++++++++- 3 files changed, 39 insertions(+), 3 deletions(-) diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x index da51e40acb..1b8f61d1c5 100644 --- a/release-notes/VERSION-2.x +++ b/release-notes/VERSION-2.x @@ -27,6 +27,7 @@ Project: jackson-databind (contributed by David H) #3099: Optimize "AnnotatedConstructor.call()" case by passing explicit null #3101: Add AnnotationIntrospector.XmlExtensions interface for decoupling javax dependencies +#3117: Use more limiting default visibility settings for JDK types (java.*, javax.*) - Fix to avoid problem with `BigDecimalNode`, scale of `Integer.MIN_VALUE` (see [dataformats-binary#264] for details) diff --git a/src/main/java/com/fasterxml/jackson/databind/cfg/MapperConfigBase.java b/src/main/java/com/fasterxml/jackson/databind/cfg/MapperConfigBase.java index 3c17eceac8..478302856f 100644 --- a/src/main/java/com/fasterxml/jackson/databind/cfg/MapperConfigBase.java +++ b/src/main/java/com/fasterxml/jackson/databind/cfg/MapperConfigBase.java @@ -17,6 +17,7 @@ import com.fasterxml.jackson.databind.jsontype.SubtypeResolver; import com.fasterxml.jackson.databind.jsontype.TypeResolverBuilder; import com.fasterxml.jackson.databind.type.TypeFactory; +import com.fasterxml.jackson.databind.util.ClassUtil; import com.fasterxml.jackson.databind.util.RootNameLookup; @SuppressWarnings("serial") @@ -713,8 +714,17 @@ public final VisibilityChecker getDefaultVisibilityChecker() @Override // since 2.9 public final VisibilityChecker getDefaultVisibilityChecker(Class baseType, - AnnotatedClass actualClass) { - VisibilityChecker vc = getDefaultVisibilityChecker(); + AnnotatedClass actualClass) + { + // 14-Apr-2021, tatu: [databind#3117] JDK types should be limited + // to "public-only" regardless of settings for other types + VisibilityChecker vc; + + if (ClassUtil.isJDKClass(baseType)) { + vc = VisibilityChecker.Std.allPublicInstance(); + } else { + vc = getDefaultVisibilityChecker(); + } AnnotationIntrospector intr = getAnnotationIntrospector(); if (intr != null) { vc = intr.findAutoDetectVisibility(actualClass, vc); diff --git a/src/main/java/com/fasterxml/jackson/databind/introspect/VisibilityChecker.java b/src/main/java/com/fasterxml/jackson/databind/introspect/VisibilityChecker.java index 0cb7766746..019b824861 100644 --- a/src/main/java/com/fasterxml/jackson/databind/introspect/VisibilityChecker.java +++ b/src/main/java/com/fasterxml/jackson/databind/introspect/VisibilityChecker.java @@ -169,13 +169,38 @@ public static class Std Visibility.PUBLIC_ONLY // field ); + /** + * Alternate base settings used for JDK types: public visibility + * required for everything + * + * @since 2.13 + */ + protected final static Std ALL_PUBLIC = new Std( + Visibility.PUBLIC_ONLY, // getter + Visibility.PUBLIC_ONLY, // is-getter + Visibility.PUBLIC_ONLY, // setter + Visibility.PUBLIC_ONLY, // creator (single-arg ctors) + Visibility.PUBLIC_ONLY // field + ); + protected final Visibility _getterMinLevel; protected final Visibility _isGetterMinLevel; protected final Visibility _setterMinLevel; protected final Visibility _creatorMinLevel; protected final Visibility _fieldMinLevel; - + + /** + * @return Instance with default settings: "public" for getters/is-getters, + * fields; "any" for setters and legacy 1-arg constructors + */ public static Std defaultInstance() { return DEFAULT; } + + /** + * @return Instance with all visibility levels set to "public" + * + * @since 2.13 + */ + public static Std allPublicInstance() { return ALL_PUBLIC; } /** * Constructor used for building instance that has minumum visibility