Merge branch '2.19' into 4388-try-another

Author: JooHyukKim

pom.xml

@@ -154,6 +154,22 @@
       <version>${version.mockito}</version>
       <scope>test</scope>
     </dependency>
+
+    <!-- Dependencies for testing "type pollution", see:
+         https://github.com/FasterXML/jackson-databind/pull/4848
+      -->
+    <dependency>
+      <groupId>org.junit.platform</groupId>
+      <artifactId>junit-platform-suite-engine</artifactId>
+      <version>1.10.2</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>io.micronaut.test</groupId>
+      <artifactId>micronaut-test-type-pollution</artifactId>
+      <version>4.6.2</version>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 
   <!-- Alas, need to include snapshot reference since otherwise can not find
@@ -213,6 +229,7 @@
           <excludes>
             <exclude>com.fasterxml.jackson.databind.MapperFootprintTest</exclude>
           </excludes>
+          <test>com.fasterxml.jackson.databind.PrimarySuite</test>
           <!-- 26-Nov-2019, tatu: moar parallelism! Per-class basis, safe, efficient enough
                   ... although not 100% sure this makes much difference TBH
             -->
@@ -227,8 +244,8 @@
         <artifactId>maven-javadoc-plugin</artifactId>
         <configuration>
           <links combine.children="append">
-            <link>https://fasterxml.github.io/jackson-annotations/javadoc/2.16</link>
-            <link>https://fasterxml.github.io/jackson-core/javadoc/2.16</link>
+            <link>https://javadoc.io/doc/com.fasterxml.jackson.core/jackson-annotations/2.19.0</link>>
+            <link>https://javadoc.io/doc/com.fasterxml.jackson.core/jackson-core/2.19.0</link>>
           </links>
         </configuration>
       </plugin>
@@ -386,6 +403,19 @@
             <configuration>
               <argLine>--add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED</argLine>
             </configuration>
+            <executions>
+              <execution>
+                <id>type-pollution-test</id>
+                <phase>test</phase>
+                <goals>
+                  <goal>test</goal>
+                </goals>
+                <configuration>
+                  <test>com.fasterxml.jackson.databind.typepollution.TypePollutionSuite</test>
+                  <threadCount>1</threadCount>
+                </configuration>
+              </execution>
+            </executions>
           </plugin>
         </plugins>
       </build>

release-notes/CREDITS-2.x

@@ -425,6 +425,8 @@ Jonas Konrad (yawkat@github)
   * Contributed fix for #3655: `ObjectMapper` default heap consumption increased significantly
     from 2.13.x to 2.14.0
    (2.14.1)
+  * Contributed fix for #4848: Avoid type pollution in `StringCollectionDeserializer`
+   (2.18.3)
 
 Jirka Kremser (Jiri-Kremser@github)
   * Suggested #924: SequenceWriter.writeAll() could accept Iterable
@@ -1865,6 +1867,11 @@ Stanislav Shcherbakov (@glorrian)
  * Contributed #4844: Fix wrapped array hanlding wrt `null` by `StdDeserializer`
   (2.18.3)
 
+Tomáš Poledný (@Saljack)
+ * Reported #4860: `ConstructorDetector.USE_PROPERTIES_BASED` does not work with
+   multiple constructors since 2.18
+  (2.18.3)
+
 Liam Feid (@fxshlein)
  * Contributed #1467: Support `@JsonUnwrapped` with `@JsonCreator`
   (2.19.0)

release-notes/VERSION-2.x

@@ -31,9 +31,11 @@ Project: jackson-databind
  (reported by Eduard G)
 #4773: `SerializationFeature.ORDER_MAP_ENTRIES_BY_KEYS` should not apply to Maps
   with uncomparable keys
- (requested by @nathanukey
+ (requested by @nathanukey)
 #4849 Not able to deserialize Enum with default typing after upgrading 2.15.4 -> 2.17.1
  (reported by Kornel Zemla)
+#4863: Add basic Stream support in `JsonNode`: `valueStream()`, `propertyStream()`,
+  `forEachEntry()`
 
 2.18.3 (not yet released)
 
@@ -43,6 +45,12 @@ Project: jackson-databind
  (fix by Joo-Hyuk K)
 #4844: Fix wrapped array handling wrt `null` by `StdDeserializer`
  (fix by Stanislav S)
+#4848: Avoid type pollution in `StringCollectionDeserializer`
+ (contributed by Jonas K)
+#4860: `ConstructorDetector.USE_PROPERTIES_BASED` does not work with
+  multiple constructors since 2.18
+ (reported by Tomáš P)
+ (fix by Joo-Hyuk K, @cowtowncoder)
 
 2.18.2 (27-Nov-2024)
 

src/main/java/com/fasterxml/jackson/databind/JsonNode.java

@@ -4,6 +4,8 @@
 import java.math.BigDecimal;
 import java.math.BigInteger;
 import java.util.*;
+import java.util.function.BiConsumer;
+import java.util.stream.Stream;
 
 import com.fasterxml.jackson.core.*;
 import com.fasterxml.jackson.databind.node.ArrayNode;
@@ -1017,9 +1019,14 @@ public Iterator<JsonNode> elements() {
     }
 
     /**
+     * NOTE: This method is deprecated, use {@link #properties()} instead.
+     *
      * @return Iterator that can be used to traverse all key/value pairs for
      *   object nodes; empty iterator (no contents) for other types
+     *  
+     * @deprecated As of 2.19, replaced by {@link #properties()}
      */
+    @Deprecated // since 2.19
     public Iterator<Map.Entry<String, JsonNode>> fields() {
         return ClassUtil.emptyIterator();
     }
@@ -1028,6 +1035,7 @@ public Iterator<Map.Entry<String, JsonNode>> fields() {
      * Accessor that will return properties of {@code ObjectNode}
      * similar to how {@link Map#entrySet()} works; 
      * for other node types will return empty {@link java.util.Set}.
+     * Replacement for {@link JsonNode#fields()}.
      *
      * @return Set of properties, if this node is an {@code ObjectNode}
      * ({@link JsonNode#isObject()} returns {@code true}); empty
@@ -1039,6 +1047,46 @@ public Set<Map.Entry<String, JsonNode>> properties() {
         return Collections.emptySet();
     }
 
+    /**
+     * Returns a stream of all value nodes of this Node, iff
+     * this node is an {@code ArrayNode} or {@code ObjectNode}.
+     * In case of {@code Object} node, property names (keys) are not included, only values.
+     * For other types of nodes, returns empty stream.
+     *
+     * @since 2.19
+     */
+    public Stream<JsonNode> valueStream() {
+        return ClassUtil.emptyStream();
+    }
+
+    /**
+     * Returns a stream of all properties (key, value pairs) of this Node,
+     * iff this node is an an {@code ObjectNode}.
+     * For other types of nodes, returns empty stream.
+     *
+     * @since 2.19
+     */
+    public Stream<Map.Entry<String, JsonNode>> propertyStream() {
+        return ClassUtil.emptyStream();
+    }
+
+    /**
+     * If this node is an {@code ObjectNode}, performs the given action for each
+     * property (key, value pair)
+     * until all entries have been processed or the action throws an exception.
+     * Exceptions thrown by the action are relayed to the caller.     
+     * For other node types, no action is performed.
+     *<p>
+     * Actions are performed in the order of properties, same as order returned by
+     * method {@link #properties()}.
+     * This is generally the document order of properties in JSON object.
+     * 
+     * @param action Action to perform for each entry
+     */
+    public void forEachEntry(BiConsumer<? super String, ? super JsonNode> action) {
+        // No-op for all but ObjectNode
+    }
+
     /*
     /**********************************************************
     /* Public API, find methods

src/main/java/com/fasterxml/jackson/databind/deser/BasicDeserializerFactory.java

@@ -534,7 +534,7 @@ private void _addSelectedPropertiesBasedCreator(DeserializationContext ctxt,
                 if ((name == null) && (injectId == null)) {
                     ctxt.reportBadTypeDefinition(beanDesc,
 "Argument #%d of Creator %s has no property name (and is not Injectable): can not use as property-based Creator",
-i, candidate);
+                        i, candidate);
                 }
             }
             properties[i] = constructCreatorProperty(ctxt, beanDesc, name, i, param, injectId);

src/main/java/com/fasterxml/jackson/databind/deser/std/StringCollectionDeserializer.java

@@ -1,12 +1,13 @@
 package com.fasterxml.jackson.databind.deser.std;
 
 import java.io.IOException;
-import java.util.Collection;
-import java.util.Objects;
+import java.util.*;
 
 import com.fasterxml.jackson.annotation.JsonFormat;
 
-import com.fasterxml.jackson.core.*;
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.core.JsonToken;
+
 import com.fasterxml.jackson.databind.*;
 import com.fasterxml.jackson.databind.annotation.JacksonStdImpl;
 import com.fasterxml.jackson.databind.cfg.CoercionAction;
@@ -170,16 +171,15 @@ public ValueInstantiator getValueInstantiator() {
     /**********************************************************
      */
 
-    @SuppressWarnings("unchecked")
     @Override
     public Collection<String> deserialize(JsonParser p, DeserializationContext ctxt)
         throws IOException
     {
         if (_delegateDeserializer != null) {
-            return (Collection<String>) _valueInstantiator.createUsingDelegate(ctxt,
-                    _delegateDeserializer.deserialize(p, ctxt));
+            return castToCollection(_valueInstantiator.createUsingDelegate(ctxt,
+                    _delegateDeserializer.deserialize(p, ctxt)));
         }
-        final Collection<String> result = (Collection<String>) _valueInstantiator.createUsingDefault(ctxt);
+        final Collection<String> result = castToCollection(_valueInstantiator.createUsingDefault(ctxt));
         return deserialize(p, ctxt, result);
     }
 
@@ -272,7 +272,6 @@ public Object deserializeWithType(JsonParser p, DeserializationContext ctxt,
      * throw an exception, or try to handle value as if member of implicit
      * array, depending on configuration.
      */
-    @SuppressWarnings("unchecked")
     private final Collection<String> handleNonArray(JsonParser p, DeserializationContext ctxt,
             Collection<String> result) throws IOException
     {
@@ -284,7 +283,7 @@ private final Collection<String> handleNonArray(JsonParser p, DeserializationCon
             if (p.hasToken(JsonToken.VALUE_STRING)) {
                 return _deserializeFromString(p, ctxt);
             }
-            return (Collection<String>) ctxt.handleUnexpectedToken(_containerType, p);
+            return castToCollection(ctxt.handleUnexpectedToken(_containerType, p));
         }
         // Strings are one of "native" (intrinsic) types, so there's never type deserializer involved
         JsonDeserializer<String> valueDes = _valueDeserializer;
@@ -306,15 +305,15 @@ private final Collection<String> handleNonArray(JsonParser p, DeserializationCon
                     final CoercionAction act = ctxt.findCoercionAction(logicalType(), handledType(),
                             CoercionInputShape.EmptyString);
                     if (act != CoercionAction.Fail) {
-                        return (Collection<String>) _deserializeFromEmptyString(p, ctxt, act, handledType(),
-                                "empty String (\"\")");
+                        return castToCollection(_deserializeFromEmptyString(p, ctxt, act, handledType(),
+                                "empty String (\"\")"));
                     }
                 } else if (_isBlank(textValue)) {
                     final CoercionAction act = ctxt.findCoercionFromBlankString(logicalType(), handledType(),
                             CoercionAction.Fail);
                     if (act != CoercionAction.Fail) {
-                        return (Collection<String>) _deserializeFromEmptyString(p, ctxt, act, handledType(),
-                                "blank String (all whitespace)");
+                        return castToCollection(_deserializeFromEmptyString(p, ctxt, act, handledType(),
+                                "blank String (all whitespace)"));
                     }
                 }
                 // if coercion failed, we can still add it to a list
@@ -329,4 +328,24 @@ private final Collection<String> handleNonArray(JsonParser p, DeserializationCon
         result.add(value);
         return result;
     }
+
+    // Used to avoid type pollution: see
+    //   https://micronaut-projects.github.io/micronaut-test/latest/guide/#typePollution
+    // for details
+    //
+    // @since 2.18
+    @SuppressWarnings("unchecked")
+    private static Collection<String> castToCollection(Object o) {
+        if (o != null) {
+            // fast path for specific classes to avoid type pollution:
+            // https://micronaut-projects.github.io/micronaut-test/latest/guide/#typePollution
+            if (o.getClass() == ArrayList.class) {
+                return (ArrayList<String>) o;
+            }
+            if (o.getClass() == HashSet.class) {
+                return (HashSet<String>) o;
+            }
+        }
+        return (Collection<String>) o;
+    }
 }

src/main/java/com/fasterxml/jackson/databind/introspect/POJOPropertiesCollector.java

@@ -713,8 +713,7 @@ protected void _addCreators(Map<String, POJOPropertyBuilder> props)
         }
 
         // One more thing: if neither explicit (constructor or factory) nor
-        // canonical (constructor?), consider implicit Constructor with
-        // all named.
+        // canonical (constructor?), consider implicit Constructor with all named.
         final ConstructorDetector ctorDetector = _config.getConstructorDetector();
         if (!creators.hasPropertiesBasedOrDelegating()
                 && !ctorDetector.requireCtorAnnotation()) {
@@ -1011,10 +1010,17 @@ private boolean _addImplicitConstructor(PotentialCreators collector,
                 if (ctorDetector.singleArgCreatorDefaultsToDelegating()) {
                     return false;
                 }
+                // 20-Dec-2024, tatu: [databind#4860] Cannot detect as properties-based
+                //   without implicit name (Injectable was checked earlier)
+                String implicitParamName = ctor.implicitNameSimple(0);
+                if (implicitParamName == null) {
+                    return false;
+                }
+
                 // if not, prefer Properties-based if explicit preference OR
                 // property with same name with at least one visible accessor
                 if (!ctorDetector.singleArgCreatorDefaultsToProperties()) {
-                    POJOPropertyBuilder prop = props.get(ctor.implicitNameSimple(0));
+                    POJOPropertyBuilder prop = props.get(implicitParamName);
                     if ((prop == null) || !prop.anyVisible() || prop.anyIgnorals()) {
                         return false;
                     }

src/main/java/com/fasterxml/jackson/databind/node/ArrayNode.java

@@ -4,6 +4,7 @@
 import java.math.BigDecimal;
 import java.math.BigInteger;
 import java.util.*;
+import java.util.stream.Stream;
 
 import com.fasterxml.jackson.core.*;
 import com.fasterxml.jackson.core.type.WritableTypeId;
@@ -288,6 +289,11 @@ public JsonNode required(int index) {
                 index, _children.size());
     }
 
+    @Override // @since 2.19
+    public Stream<JsonNode> valueStream() {
+        return _children.stream();
+    }
+
     @Override
     public boolean equals(Comparator<JsonNode> comparator, JsonNode o)
     {

src/main/java/com/fasterxml/jackson/databind/node/ContainerNode.java

@@ -2,6 +2,7 @@
 
 import java.math.BigDecimal;
 import java.math.BigInteger;
+import java.util.stream.Stream;
 
 import com.fasterxml.jackson.core.*;
 import com.fasterxml.jackson.databind.JsonNode;
@@ -54,6 +55,10 @@ protected ContainerNode(JsonNodeFactory nc) {
     @Override
     public abstract JsonNode get(String fieldName);
 
+    // Both ArrayNode and ObjectNode must re-implement
+    @Override // @since 2.19
+    public abstract Stream<JsonNode> valueStream();
+
     @Override
     protected abstract ObjectNode _withObject(JsonPointer origPtr,
             JsonPointer currentPtr,

src/main/java/com/fasterxml/jackson/databind/node/InternalNodeMapper.java

@@ -96,7 +96,7 @@ protected void _serializeNonRecursive(JsonGenerator g, JsonNode node) throws IOE
         {
             if (node instanceof ObjectNode) {
                 g.writeStartObject(this, node.size());
-                _serializeNonRecursive(g, new IteratorStack(), node.fields());
+                _serializeNonRecursive(g, new IteratorStack(), node.properties().iterator());
             } else if (node instanceof ArrayNode) {
                 g.writeStartArray(this, node.size());
                 _serializeNonRecursive(g, new IteratorStack(), node.elements());
@@ -127,7 +127,7 @@ protected void _serializeNonRecursive(JsonGenerator g, IteratorStack stack,
                     }
                     if (value instanceof ObjectNode) {
                         stack.push(currIt);
-                        currIt = value.fields();
+                        currIt = value.properties().iterator();
                         g.writeStartObject(value, value.size());
                     } else if (value instanceof ArrayNode) {
                         stack.push(currIt);