com.fasterxml.jackson.databind.jsontype

Class BasicPolymorphicTypeValidator.Builder

java.lang.Object

com.fasterxml.jackson.databind.jsontype.BasicPolymorphicTypeValidator.Builder

Enclosing class:

BasicPolymorphicTypeValidator

public static class BasicPolymorphicTypeValidator.Builder
extends Object

Builder class for configuring and constructing immutable BasicPolymorphicTypeValidator instances. Criteria for allowing polymorphic subtypes is specified by adding rules in priority order, starting with the rules to evaluate first: when a matching rule is found, its status (PolymorphicTypeValidator.Validity.ALLOWED or PolymorphicTypeValidator.Validity.DENIED) is used and no further rules are checked.

Field Summary

Fields

Modifier and Type	Field and Description
protected boolean	_acceptArrayTypes [databind#5981]: when true, validateSubType() unwraps arrays (recursively for nested arrays) and validates the innermost element type against _subTypeClassMatchers as well as _subTypeNameMatchers (the latter added by [databind#5988]).
protected List<BasicPolymorphicTypeValidator.TypeMatcher>	_baseTypeMatchers Collected matchers for base types to allow.
protected Set<Class<?>>	_invalidBaseTypes Optional set of base types (exact match) that are NOT accepted as base types for polymorphic properties.
protected List<BasicPolymorphicTypeValidator.TypeMatcher>	_subTypeClassMatchers Collected Class-based matchers for sub types to allow.
protected List<BasicPolymorphicTypeValidator.NameMatcher>	_subTypeNameMatchers Collected name-based matchers for sub types to allow.

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	Builder()

Method Summary

Modifier and Type	Method and Description
protected BasicPolymorphicTypeValidator.Builder	_appendBaseMatcher(BasicPolymorphicTypeValidator.TypeMatcher matcher)
protected BasicPolymorphicTypeValidator.Builder	_appendSubClassMatcher(BasicPolymorphicTypeValidator.TypeMatcher matcher)
protected BasicPolymorphicTypeValidator.Builder	_appendSubNameMatcher(BasicPolymorphicTypeValidator.NameMatcher matcher)
BasicPolymorphicTypeValidator.Builder	allowIfBaseType(BasicPolymorphicTypeValidator.TypeMatcher matcher) Method for appending custom matcher called with base type: if matcher returns true, all possible subtypes will be accepted; if false, other matchers are applied.
BasicPolymorphicTypeValidator.Builder	allowIfBaseType(Class<?> baseOfBase) Method for appending matcher that will allow all subtypes in cases where nominal base type is specified class, or one of its subtypes.
BasicPolymorphicTypeValidator.Builder	allowIfBaseType(Pattern patternForBase) Method for appending matcher that will allow all subtypes in cases where nominal base type's class name matches given Pattern For example, call to builder.allowIfBaseType(Pattern.compile("com\\.mycompany\\..*") would indicate that any polymorphic properties where declared base type is in package com.mycompany would allow all legal (assignment-compatible) subtypes.
BasicPolymorphicTypeValidator.Builder	allowIfBaseType(String prefixForBase) Method for appending matcher that will allow all subtypes in cases where nominal base type's class name starts with specific prefix.
BasicPolymorphicTypeValidator.Builder	allowIfSubType(BasicPolymorphicTypeValidator.TypeMatcher matcher) Method for appending custom matcher called with resolved subtype: if matcher returns true, type will be accepted; if false, other matchers are applied.
BasicPolymorphicTypeValidator.Builder	allowIfSubType(Class<?> subTypeBase) Method for appending matcher that will allow specific subtype (regardless of declared base type) if it is subTypeBase or its subtype.
BasicPolymorphicTypeValidator.Builder	allowIfSubType(Pattern patternForSubType) Method for appending matcher that will allow specific subtype (regardless of declared base type) in cases where subclass name matches given Pattern.
BasicPolymorphicTypeValidator.Builder	allowIfSubType(String prefixForSubType) Method for appending matcher that will allow specific subtype (regardless of declared base type) in cases where subclass name starts with specified prefix For example, call to builder.allowIfSubType("com.mycompany.")
BasicPolymorphicTypeValidator.Builder	allowIfSubTypeIsArray() Method for enabling validation of Java array sub-types: when called, the validator unwraps any array (recursively for nested arrays) and validates the innermost element type against the configured sub-class matchers.
BasicPolymorphicTypeValidator	build()
BasicPolymorphicTypeValidator.Builder	denyForExactBaseType(Class<?> baseTypeToDeny) Method for appending matcher that will mark any polymorphic properties with exact specific class to be invalid.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

_invalidBaseTypes

protected Set<Class<?>> _invalidBaseTypes

Optional set of base types (exact match) that are NOT accepted as base types for polymorphic properties. May be used to prevent "unsafe" base types like Object or Serializable.

_baseTypeMatchers

protected List<BasicPolymorphicTypeValidator.TypeMatcher> _baseTypeMatchers

Collected matchers for base types to allow.

_subTypeNameMatchers

protected List<BasicPolymorphicTypeValidator.NameMatcher> _subTypeNameMatchers

Collected name-based matchers for sub types to allow.

_subTypeClassMatchers

protected List<BasicPolymorphicTypeValidator.TypeMatcher> _subTypeClassMatchers

Collected Class-based matchers for sub types to allow.

_acceptArrayTypes

protected boolean _acceptArrayTypes

[databind#5981]: when true, validateSubType() unwraps arrays (recursively for nested arrays) and validates the innermost element type against _subTypeClassMatchers as well as _subTypeNameMatchers (the latter added by [databind#5988]).

Since:

2.18.8

Constructor Detail

Builder

protected Builder()

Method Detail

allowIfBaseType

public BasicPolymorphicTypeValidator.Builder allowIfBaseType(Class<?> baseOfBase)

Method for appending matcher that will allow all subtypes in cases where nominal base type is specified class, or one of its subtypes. For example, call to

    builder.allowIfBaseType(MyBaseType.class)

would indicate that any polymorphic properties where declared base type is MyBaseType (or subclass thereof) would allow all legal (assignment-compatible) subtypes.

allowIfBaseType

public BasicPolymorphicTypeValidator.Builder allowIfBaseType(Pattern patternForBase)

Method for appending matcher that will allow all subtypes in cases where nominal base type's class name matches given Pattern For example, call to

    builder.allowIfBaseType(Pattern.compile("com\\.mycompany\\..*")

would indicate that any polymorphic properties where declared base type is in package com.mycompany would allow all legal (assignment-compatible) subtypes.

NOTE! Pattern match is applied using if (patternForBase.matcher(typeId).matches()) { } that is, it must match the whole class name, not just part.

allowIfBaseType

public BasicPolymorphicTypeValidator.Builder allowIfBaseType(String prefixForBase)

Method for appending matcher that will allow all subtypes in cases where nominal base type's class name starts with specific prefix. For example, call to

    builder.allowIfBaseType("com.mycompany.")

would indicate that any polymorphic properties where declared base type is in package com.mycompany would allow all legal (assignment-compatible) subtypes.

allowIfBaseType

public BasicPolymorphicTypeValidator.Builder allowIfBaseType(BasicPolymorphicTypeValidator.TypeMatcher matcher)

Method for appending custom matcher called with base type: if matcher returns true, all possible subtypes will be accepted; if false, other matchers are applied.

Parameters:

matcher - Custom matcher to apply to base type

Returns:

This Builder to allow call chaining

Since:

2.11

denyForExactBaseType

public BasicPolymorphicTypeValidator.Builder denyForExactBaseType(Class<?> baseTypeToDeny)

Method for appending matcher that will mark any polymorphic properties with exact specific class to be invalid. For example, call to

    builder.denyforExactBaseType(Object.class)

would indicate that any polymorphic properties where declared base type is java.lang.Object would be deemed invalid, and attempt to deserialize values of such types should result in an exception.

allowIfSubType

public BasicPolymorphicTypeValidator.Builder allowIfSubType(Class<?> subTypeBase)

Method for appending matcher that will allow specific subtype (regardless of declared base type) if it is subTypeBase or its subtype. For example, call to

    builder.allowIfSubType(MyImplType.class)

would indicate that any polymorphic values with type of is MyImplType (or subclass thereof) would be allowed.

allowIfSubType

public BasicPolymorphicTypeValidator.Builder allowIfSubType(Pattern patternForSubType)

Method for appending matcher that will allow specific subtype (regardless of declared base type) in cases where subclass name matches given Pattern. For example, call to

    builder.allowIfSubType(Pattern.compile("com\\.mycompany\\.")

would indicate that any polymorphic values in package com.mycompany would be allowed.

NOTE! Pattern match is applied using if (patternForSubType.matcher(typeId).matches()) { } that is, it must match the whole class name, not just part.

allowIfSubType

public BasicPolymorphicTypeValidator.Builder allowIfSubType(String prefixForSubType)

Method for appending matcher that will allow specific subtype (regardless of declared base type) in cases where subclass name starts with specified prefix For example, call to

    builder.allowIfSubType("com.mycompany.")

would indicate that any polymorphic values in package com.mycompany would be allowed.

allowIfSubType

public BasicPolymorphicTypeValidator.Builder allowIfSubType(BasicPolymorphicTypeValidator.TypeMatcher matcher)

Method for appending custom matcher called with resolved subtype: if matcher returns true, type will be accepted; if false, other matchers are applied.

Parameters:

matcher - Custom matcher to apply to resolved subtype

Returns:

This Builder to allow call chaining

Since:

2.11

allowIfSubTypeIsArray

public BasicPolymorphicTypeValidator.Builder allowIfSubTypeIsArray()

Method for enabling validation of Java array sub-types: when called, the validator unwraps any array (recursively for nested arrays) and validates the innermost element type against the configured sub-class matchers. Arrays of primitive, abstract, or interface element types are accepted without an explicit allow-list entry: primitives can't carry gadget chains; abstract / interface elements are not directly instantiable and rely on per-element type-id resolution which itself runs the polymorphic type validator on the concrete sub-type.

NOTE: the array-element check runs as part of validateSubType(), so it only applies when name-based sub-type matchers (see allowIfSubType(Pattern) / allowIfSubType(String)) have NOT already approved the array's class name -- per DatabindContext.resolveAndValidateSubType(com.fasterxml.jackson.databind.JavaType, java.lang.String, com.fasterxml.jackson.databind.jsontype.PolymorphicTypeValidator), a validateSubClassName of ALLOWED skips the subsequent validateSubType call. In practice typical name matchers do not match array class names (which start with [L / [I etc.), so this is normally not a concern.

NOTE (behavior change in 2.18.8 for [databind#5981]): prior versions added a matcher that approved every array regardless of element type, which let an attacker bypass an explicit sub-class allow-list by wrapping a denied class as an array (e.g. Evil[]) -- the array matched, the component was instantiated via plain bean deserialization without any further validator invocation. Callers that relied on "allow every array" must now also allow-list the element types they intend to accept.

NOTE: not used with other Java collection types (Lists, Collections), mostly since use of generic types as polymorphic values is not (well) supported.

Since:

2.11

build

public BasicPolymorphicTypeValidator build()

_appendBaseMatcher

protected BasicPolymorphicTypeValidator.Builder _appendBaseMatcher(BasicPolymorphicTypeValidator.TypeMatcher matcher)

_appendSubNameMatcher

protected BasicPolymorphicTypeValidator.Builder _appendSubNameMatcher(BasicPolymorphicTypeValidator.NameMatcher matcher)

_appendSubClassMatcher

protected BasicPolymorphicTypeValidator.Builder _appendSubClassMatcher(BasicPolymorphicTypeValidator.TypeMatcher matcher)