Class BasicPolymorphicTypeValidator.Builder

    • Field Detail

      • _invalidBaseTypes

        protected java.util.Set<java.lang.Class<?>> _invalidBaseTypes
        Optional set of base types (exact match) that are NOT accepted as base types for polymorphic properties. May be used to prevent "unsafe" base types like Object or Serializable.
      • _acceptArrayTypes

        protected boolean _acceptArrayTypes
        [databind#5981]: when true, validateSubType() unwraps arrays (recursively for nested arrays) and validates the innermost element type against _subTypeClassMatchers as well as _subTypeNameMatchers (the latter added by [databind#5988]).
        Since:
        2.18.8
    • Constructor Detail

      • Builder

        protected Builder()
    • Method Detail

      • allowIfBaseType

        public BasicPolymorphicTypeValidator.Builder allowIfBaseType​(java.lang.Class<?> baseOfBase)
        Method for appending matcher that will allow all subtypes in cases where nominal base type is specified class, or one of its subtypes. For example, call to
            builder.allowIfBaseType(MyBaseType.class)
        
        would indicate that any polymorphic properties where declared base type is MyBaseType (or subclass thereof) would allow all legal (assignment-compatible) subtypes.
      • allowIfBaseType

        public BasicPolymorphicTypeValidator.Builder allowIfBaseType​(java.util.regex.Pattern patternForBase)
        Method for appending matcher that will allow all subtypes in cases where nominal base type's class name matches given Pattern For example, call to
            builder.allowIfBaseType(Pattern.compile("com\\.mycompany\\..*")
        
        would indicate that any polymorphic properties where declared base type is in package com.mycompany would allow all legal (assignment-compatible) subtypes.

        NOTE! Pattern match is applied using if (patternForBase.matcher(typeId).matches()) { } that is, it must match the whole class name, not just part.

      • allowIfBaseType

        public BasicPolymorphicTypeValidator.Builder allowIfBaseType​(java.lang.String prefixForBase)
        Method for appending matcher that will allow all subtypes in cases where nominal base type's class name starts with specific prefix. For example, call to
            builder.allowIfBaseType("com.mycompany.")
        
        would indicate that any polymorphic properties where declared base type is in package com.mycompany would allow all legal (assignment-compatible) subtypes.
      • allowIfBaseType

        public BasicPolymorphicTypeValidator.Builder allowIfBaseType​(BasicPolymorphicTypeValidator.TypeMatcher matcher)
        Method for appending custom matcher called with base type: if matcher returns true, all possible subtypes will be accepted; if false, other matchers are applied.
        Parameters:
        matcher - Custom matcher to apply to base type
        Returns:
        This Builder to allow call chaining
        Since:
        2.11
      • denyForExactBaseType

        public BasicPolymorphicTypeValidator.Builder denyForExactBaseType​(java.lang.Class<?> baseTypeToDeny)
        Method for appending matcher that will mark any polymorphic properties with exact specific class to be invalid. For example, call to
            builder.denyforExactBaseType(Object.class)
        
        would indicate that any polymorphic properties where declared base type is java.lang.Object would be deemed invalid, and attempt to deserialize values of such types should result in an exception.
      • allowIfSubType

        public BasicPolymorphicTypeValidator.Builder allowIfSubType​(java.lang.Class<?> subTypeBase)
        Method for appending matcher that will allow specific subtype (regardless of declared base type) if it is subTypeBase or its subtype. For example, call to
            builder.allowIfSubType(MyImplType.class)
        
        would indicate that any polymorphic values with type of is MyImplType (or subclass thereof) would be allowed.
      • allowIfSubType

        public BasicPolymorphicTypeValidator.Builder allowIfSubType​(java.util.regex.Pattern patternForSubType)
        Method for appending matcher that will allow specific subtype (regardless of declared base type) in cases where subclass name matches given Pattern. For example, call to
            builder.allowIfSubType(Pattern.compile("com\\.mycompany\\.")
        
        would indicate that any polymorphic values in package com.mycompany would be allowed.

        NOTE! Pattern match is applied using if (patternForSubType.matcher(typeId).matches()) { } that is, it must match the whole class name, not just part.

      • allowIfSubType

        public BasicPolymorphicTypeValidator.Builder allowIfSubType​(java.lang.String prefixForSubType)
        Method for appending matcher that will allow specific subtype (regardless of declared base type) in cases where subclass name starts with specified prefix For example, call to
            builder.allowIfSubType("com.mycompany.")
        
        would indicate that any polymorphic values in package com.mycompany would be allowed.
      • allowIfSubType

        public BasicPolymorphicTypeValidator.Builder allowIfSubType​(BasicPolymorphicTypeValidator.TypeMatcher matcher)
        Method for appending custom matcher called with resolved subtype: if matcher returns true, type will be accepted; if false, other matchers are applied.
        Parameters:
        matcher - Custom matcher to apply to resolved subtype
        Returns:
        This Builder to allow call chaining
        Since:
        2.11
      • allowIfSubTypeIsArray

        public BasicPolymorphicTypeValidator.Builder allowIfSubTypeIsArray()
        Method for enabling validation of Java array sub-types: when called, the validator unwraps any array (recursively for nested arrays) and validates the innermost element type against the configured sub-class matchers. Arrays of primitive, abstract, or interface element types are accepted without an explicit allow-list entry: primitives can't carry gadget chains; abstract / interface elements are not directly instantiable and rely on per-element type-id resolution which itself runs the polymorphic type validator on the concrete sub-type.

        NOTE: the array-element check runs as part of validateSubType(), so it only applies when name-based sub-type matchers (see allowIfSubType(Pattern) / allowIfSubType(String)) have NOT already approved the array's class name -- per DatabindContext.resolveAndValidateSubType(com.fasterxml.jackson.databind.JavaType, java.lang.String, com.fasterxml.jackson.databind.jsontype.PolymorphicTypeValidator), a validateSubClassName of ALLOWED skips the subsequent validateSubType call. In practice typical name matchers do not match array class names (which start with [L / [I etc.), so this is normally not a concern.

        NOTE (behavior change in 2.18.8 for [databind#5981]): prior versions added a matcher that approved every array regardless of element type, which let an attacker bypass an explicit sub-class allow-list by wrapping a denied class as an array (e.g. Evil[]) -- the array matched, the component was instantiated via plain bean deserialization without any further validator invocation. Callers that relied on "allow every array" must now also allow-list the element types they intend to accept.

        NOTE: not used with other Java collection types (Lists, Collections), mostly since use of generic types as polymorphic values is not (well) supported.

        Since:
        2.11