Description: Multiple fixes (CVE-2020-36179 to CVE-2020-36190) cherry-picked together from upstream. From: Tatu Saloranta Co-Author: Utkarsh Gupta --- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java @@ -118,9 +118,12 @@ // [databind#2704]: xalan2 s.add("com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool"); - // [databind#2478]: comons-dbcp, p6spy + // [databind#2478]: commons-dbcp 1.x, p6spy + // [databind#3004]: commons-dbcp 1.x + s.add("org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS"); s.add("org.apache.commons.dbcp.datasources.PerUserPoolDataSource"); s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource"); + s.add("com.p6spy.engine.spy.P6DataSource"); // [databind#2498]: log4j-extras (1.2) @@ -143,8 +146,9 @@ // [databind#2814]: anteros-dbcp s.add("br.com.anteros.dbcp.AnterosDBCPDataSource"); - // [databind#2642]: javax.swing (jdk) + // [databind#2642][databind#2854]: javax.swing (jdk) s.add("javax.swing.JEditorPane"); + s.add("javax.swing.JTextPane"); // [databind#2648], [databind#2653]: shire-core s.add("org.apache.shiro.realm.jndi.JndiRealmFactory"); @@ -183,8 +187,11 @@ // [databind#2682]: commons-jelly s.add("org.apache.commons.jelly.impl.Embedded"); - // [databind#2688]: apache/drill + // [databind#2688], [databind#3004]: apache/drill s.add("oadd.org.apache.xalan.lib.sql.JNDIConnectionPool"); + s.add("oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS"); + s.add("oadd.org.apache.commons.dbcp.datasources.PerUserPoolDataSource"); + s.add("oadd.org.apache.commons.dbcp.datasources.SharedPoolDataSource"); // [databind#2698]: weblogic w/ oracle/aq-jms // (note: dependency not available via Maven Central, but as part of @@ -201,14 +208,35 @@ // [databind#2798]: com.pastdev.httpcomponents: s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration"); - // [databind#2986]: dbcp2 + // [databind#2986], [databind#3004]: dbcp2 + s.add("org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS"); s.add("org.apache.commons.dbcp2.datasources.PerUserPoolDataSource"); s.add("org.apache.commons.dbcp2.datasources.SharedPoolDataSource"); + // [databind#2996]: newrelic-agent + embedded-logback-core + // (derivative of #2334 and #2389) + s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource"); + s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource"); + + // [databind#2997]/[databind#3004]: tomcat/naming-factory-dbcp (embedded dbcp 1.x) + // (derivative of #2478) + s.add("org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS"); + s.add("org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource"); + s.add("org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource"); + + // [databind#2998]/[databind#3004]: org.apache.tomcat/tomcat-dbcp (embedded dbcp 2.x) + // (derivative of #2478) + s.add("org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS"); + s.add("org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource"); + s.add("org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource"); + // [databind#2999]: org.glassfish.web/javax.servlet.jsp.jstl (embedded Xalan) // (derivative of #2469) s.add("com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool"); + // [databind#3003]: another case of embedded Xalan (derivative of #2469) + s.add("org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); }