Module tools.jackson.databind
Package tools.jackson.databind.jsontype

Class BasicPolymorphicTypeValidator.Builder

java.lang.Object
tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator.Builder
Enclosing class:
BasicPolymorphicTypeValidator
public static class BasicPolymorphicTypeValidator.Builder extends Object
Builder class for configuring and constructing immutable BasicPolymorphicTypeValidator instances. Criteria for allowing polymorphic subtypes is specified by adding rules in priority order, starting with the rules to evaluate first: when a matching rule is found, its status (PolymorphicTypeValidator.Validity.ALLOWED or PolymorphicTypeValidator.Validity.DENIED) is used and no further rules are checked.

  • Field Details

    • _invalidBaseTypes

      protected Set<Class<?>> _invalidBaseTypes
      Optional set of base types (exact match) that are NOT accepted as base types for polymorphic properties. May be used to prevent "unsafe" base types like Object or Serializable.

    • _baseTypeMatchers

      protected List<BasicPolymorphicTypeValidator.TypeMatcher> _baseTypeMatchers
      Collected matchers for base types to allow.

    • _subTypeNameMatchers

      protected List<BasicPolymorphicTypeValidator.NameMatcher> _subTypeNameMatchers
      Collected name-based matchers for sub types to allow.

    • _subTypeClassMatchers

      protected List<BasicPolymorphicTypeValidator.TypeMatcher> _subTypeClassMatchers
      Collected Class-based matchers for sub types to allow.

    • _acceptArrayTypes

      protected boolean _acceptArrayTypes
      [databind#5981]: when true, validateSubType() unwraps arrays (recursively for nested arrays) and validates the innermost element type against _subTypeClassMatchers as well as _subTypeNameMatchers (the latter added by [databind#5988]).

  • Constructor Details

    • Builder

      protected Builder()

  • Method Details

    • allowIfBaseType

      public BasicPolymorphicTypeValidator.Builder allowIfBaseType(Class<?> baseOfBase)
      Method for appending matcher that will allow all subtypes in cases where nominal base type is specified class, or one of its subtypes. For example, call to 
          builder.allowIfBaseType(MyBaseType.class)
      would indicate that any polymorphic properties where declared base type is MyBaseType (or subclass thereof) would allow all legal (assignment-compatible) subtypes.

    • allowIfBaseType

      public BasicPolymorphicTypeValidator.Builder allowIfBaseType(Pattern patternForBase)
      Method for appending matcher that will allow all subtypes in cases where nominal base type's class name matches given Pattern For example, call to 
          builder.allowIfBaseType(Pattern.compile("com\\.mycompany\\..*")
      would indicate that any polymorphic properties where declared base type is in package com.mycompany would allow all legal (assignment-compatible) subtypes.

      NOTE! Pattern match is applied using if (patternForBase.matcher(typeId).matches()) { } that is, it must match the whole class name, not just part.

    • allowIfBaseType

      public BasicPolymorphicTypeValidator.Builder allowIfBaseType(String prefixForBase)
      Method for appending matcher that will allow all subtypes in cases where nominal base type's class name starts with specific prefix. For example, call to 
          builder.allowIfBaseType("com.mycompany.")
      would indicate that any polymorphic properties where declared base type is in package com.mycompany would allow all legal (assignment-compatible) subtypes.

    • allowIfBaseType

      public BasicPolymorphicTypeValidator.Builder allowIfBaseType(BasicPolymorphicTypeValidator.TypeMatcher matcher)
      Method for appending custom matcher called with base type: if matcher returns true, all possible subtypes will be accepted; if false, other matchers are applied.
      Parameters:
      matcher - Custom matcher to apply to base type
      Returns:
      This Builder to allow call chaining

    • denyForExactBaseType

      public BasicPolymorphicTypeValidator.Builder denyForExactBaseType(Class<?> baseTypeToDeny)
      Method for appending matcher that will mark any polymorphic properties with exact specific class to be invalid. For example, call to 
          builder.denyforExactBaseType(Object.class)
      would indicate that any polymorphic properties where declared base type is java.lang.Object would be deemed invalid, and attempt to deserialize values of such types should result in an exception.

    • allowIfSubType

      public BasicPolymorphicTypeValidator.Builder allowIfSubType(Class<?> subTypeBase)
      Method for appending matcher that will allow specific subtype (regardless of declared base type) if it is subTypeBase or its subtype. For example, call to 
          builder.allowIfSubType(MyImplType.class)
      would indicate that any polymorphic values with type of is MyImplType (or subclass thereof) would be allowed.

    • allowIfSubType

      public BasicPolymorphicTypeValidator.Builder allowIfSubType(Pattern patternForSubType)
      Method for appending matcher that will allow specific subtype (regardless of declared base type) in cases where subclass name matches given Pattern. For example, call to 
          builder.allowIfSubType(Pattern.compile("com\\.mycompany\\.")
      would indicate that any polymorphic values in package com.mycompany would be allowed.

      NOTE! Pattern match is applied using if (patternForSubType.matcher(typeId).matches()) { } that is, it must match the whole class name, not just part.

    • allowIfSubType

      public BasicPolymorphicTypeValidator.Builder allowIfSubType(String prefixForSubType)
      Method for appending matcher that will allow specific subtype (regardless of declared base type) in cases where subclass name starts with specified prefix For example, call to 
          builder.allowIfSubType("com.mycompany.")
      would indicate that any polymorphic values in package com.mycompany would be allowed.

    • allowIfSubType

      public BasicPolymorphicTypeValidator.Builder allowIfSubType(BasicPolymorphicTypeValidator.TypeMatcher matcher)
      Method for appending custom matcher called with resolved subtype: if matcher returns true, type will be accepted; if false, other matchers are applied.
      Parameters:
      matcher - Custom matcher to apply to resolved subtype
      Returns:
      This Builder to allow call chaining

    • allowIfSubTypeIsArray

      public BasicPolymorphicTypeValidator.Builder allowIfSubTypeIsArray()
      Method for enabling validation of Java array sub-types: when called, the validator unwraps any array (recursively for nested arrays) and validates the innermost element type against the configured sub-class matchers. Arrays of primitive, abstract, or interface element types are accepted without an explicit allow-list entry: primitives can't carry gadget chains; abstract / interface elements are not directly instantiable and rely on per-element type-id resolution which itself runs the polymorphic type validator on the concrete sub-type.

      NOTE: the array-element check runs as part of validateSubType(), so it only applies when name-based sub-type matchers (see allowIfSubType(Pattern) / allowIfSubType(String)) have NOT already approved the array's class name -- per DatabindContext.resolveAndValidateSubType(tools.jackson.databind.JavaType, java.lang.String, tools.jackson.databind.jsontype.PolymorphicTypeValidator), a validateSubClassName of ALLOWED skips the subsequent validateSubType call. In practice typical name matchers do not match array class names (which start with [L / [I etc.), so this is normally not a concern.

      NOTE (behavior change in 3.1.4 for [databind#5981]): prior versions added a matcher that approved every array regardless of element type, which let an attacker bypass an explicit sub-class allow-list by wrapping a denied class as an array (e.g. Evil[]) -- the array matched, the component was instantiated via plain bean deserialization without any further validator invocation. Callers that relied on "allow every array" must now also allow-list the element types they intend to accept.

      NOTE: not used with other Java collection types (Lists, Collections), mostly since use of generic types as polymorphic values is not (well) supported.

    • allowSubTypesWithExplicitDeserializer

      public BasicPolymorphicTypeValidator.Builder allowSubTypesWithExplicitDeserializer()
      Method for appending matcher that will allow all subtypes for which a ValueDeserializer) is explicitly provided by either jackson-databind itself or one of registered JacksonModules. Determination is implementation by calling DeserializerFactory.hasExplicitDeserializerFor(tools.jackson.databind.DatabindContext, java.lang.Class<?>).

      In practice this matcher should remove the need to register any standard Jackson-supported JDK types, as well as most if not all 3rd party types; leaving only POJOs and those 3rd party types that are not supported by relevant modules. In turn this should not open security holes to "gadget" types since insecure types should not be supported by datatype modules. For highest security cases (where input is untrusted) it is still preferable to add more specific allow-rules, if possible.

      NOTE: Modules need to provide support for detection so if 3rd party types do not seem to be supported, Module in question may need to be updated to indicate existence of explicit deserializers.

    • build

      public BasicPolymorphicTypeValidator build()

    • _appendBaseMatcher

      protected BasicPolymorphicTypeValidator.Builder _appendBaseMatcher(BasicPolymorphicTypeValidator.TypeMatcher matcher)

    • _appendSubNameMatcher

      protected BasicPolymorphicTypeValidator.Builder _appendSubNameMatcher(BasicPolymorphicTypeValidator.NameMatcher matcher)

    • _appendSubClassMatcher

      protected BasicPolymorphicTypeValidator.Builder _appendSubClassMatcher(BasicPolymorphicTypeValidator.TypeMatcher matcher)