Add error-prone check for unsafe usage of JsonTypeInfo (#161)

palantir · Apr 23, 2017 · b0542cc · b0542cc
1 parent 2a35778
commit b0542cc
Show file tree

Hide file tree

Showing 4 changed files with 139 additions and 0 deletions.
diff --git a/baseline-error-prone/build.gradle b/baseline-error-prone/build.gradle
@@ -4,6 +4,7 @@ apply from: "${rootDir}/gradle/java.gradle"
 dependencies {
     compile 'com.google.errorprone:error_prone_core'
 
+    testCompile 'com.fasterxml.jackson.core:jackson-annotations'
     testCompile 'com.google.errorprone:error_prone_test_helpers'
     testCompile 'org.slf4j:slf4j-api'
 

diff --git a/...rror-prone/src/main/java/com/palantir/baseline/errorprone/DangerousJsonTypeInfoUsage.java b/...rror-prone/src/main/java/com/palantir/baseline/errorprone/DangerousJsonTypeInfoUsage.java
@@ -0,0 +1,69 @@
+/*
+ * Copyright 2017 Palantir Technologies, Inc. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.palantir.baseline.errorprone;
+
+import com.google.auto.service.AutoService;
+import com.google.errorprone.BugPattern;
+import com.google.errorprone.BugPattern.Category;
+import com.google.errorprone.BugPattern.SeverityLevel;
+import com.google.errorprone.VisitorState;
+import com.google.errorprone.bugpatterns.BugChecker;
+import com.google.errorprone.matchers.AnnotationHasArgumentWithValue;
+import com.google.errorprone.matchers.Description;
+import com.google.errorprone.matchers.IsSameType;
+import com.google.errorprone.matchers.Matcher;
+import com.google.errorprone.matchers.Matchers;
+import com.sun.source.tree.AnnotationTree;
+import com.sun.source.tree.ExpressionTree;
+
+@AutoService(BugChecker.class)
+@BugPattern(
+        name = "DangerousJsonTypeInfoUsage",
+        category = Category.ONE_OFF,
+        severity = SeverityLevel.ERROR,
+        summary = "Disallow usage of Jackson's JsonTypeInfo.Id.CLASS annotation for security reasons, "
+                + "cf. https://github.com/FasterXML/jackson-databind/issues/1599")
+public final class DangerousJsonTypeInfoUsage extends BugChecker implements BugChecker.AnnotationTreeMatcher {
+
+    private static final long serialVersionUID = 1L;
+
+    private static final Matcher<AnnotationTree> matcher = new AnnotationHasArgumentWithValue("use",
+            Matchers.allOf(
+                    new IsSameType<>("com.fasterxml.jackson.annotation.JsonTypeInfo$Id"),
+                    Matchers.anyOf(
+                            treeEqualsStringMatcher("JsonTypeInfo.Id.CLASS"),
+                            treeEqualsStringMatcher("JsonTypeInfo.Id.MINIMAL_CLASS"),
+                            treeEqualsStringMatcher("com.fasterxml.jackson.annotation.JsonTypeInfo.Id.CLASS"),
+                            treeEqualsStringMatcher("com.fasterxml.jackson.annotation.JsonTypeInfo.Id.MINIMAL_CLASS")
+                    )));
+
+    private static Matcher<ExpressionTree> treeEqualsStringMatcher(String value) {
+        return (expressionTree, state) -> expressionTree.toString().equals(value);
+    }
+
+    @Override
+    public Description matchAnnotation(AnnotationTree tree, VisitorState state) {
+        if (!matcher.matches(tree, state)) {
+            return Description.NO_MATCH;
+        }
+
+        return buildDescription(tree)
+                .setMessage("Must not use Jackson @JsonTypeInfo annotation with "
+                        + "JsonTypeInfo.Id.CLASS or JsonTypeInfo.Id.MINIMAL_CLASS")
+                .build();
+    }
+}
diff --git a/...prone/src/test/java/com/palantir/baseline/errorprone/DangerousJsonTypeInfoUsageTests.java b/...prone/src/test/java/com/palantir/baseline/errorprone/DangerousJsonTypeInfoUsageTests.java
@@ -0,0 +1,68 @@
+/*
+ * Copyright 2017 Palantir Technologies, Inc. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.palantir.baseline.errorprone;
+
+import com.google.errorprone.CompilationTestHelper;
+import org.junit.Before;
+import org.junit.Test;
+
+public final class DangerousJsonTypeInfoUsageTests {
+
+    private CompilationTestHelper compilationHelper;
+
+    @Before
+    public void before() {
+        compilationHelper = CompilationTestHelper.newInstance(DangerousJsonTypeInfoUsage.class, getClass());
+    }
+
+    @Test
+    public void testMustNotUseClassVariants() throws Exception {
+        positive("JsonTypeInfo.Id.CLASS");
+        positive("JsonTypeInfo.Id.MINIMAL_CLASS");
+        positive("com.fasterxml.jackson.annotation.JsonTypeInfo.Id.CLASS");
+        positive("com.fasterxml.jackson.annotation.JsonTypeInfo.Id.MINIMAL_CLASS");
+    }
+
+    @Test
+    public void testMayUseNoneNameCustomVariants() throws Exception {
+        negative("JsonTypeInfo.Id.NONE");
+        negative("JsonTypeInfo.Id.NAME");
+        negative("JsonTypeInfo.Id.CUSTOM");
+        negative("com.fasterxml.jackson.annotation.JsonTypeInfo.Id.NONE");
+        negative("com.fasterxml.jackson.annotation.JsonTypeInfo.Id.NAME");
+        negative("com.fasterxml.jackson.annotation.JsonTypeInfo.Id.CUSTOM");
+    }
+
+    private void positive(String variant) throws Exception {
+        compilationHelper.addSourceLines(
+                "Bean.java",
+                "import com.fasterxml.jackson.annotation.JsonTypeInfo;",
+                "// BUG: Diagnostic contains: Must not use Jackson @JsonTypeInfo annotation",
+                "@JsonTypeInfo(use = " + variant + ")",
+                "class Bean {}"
+        ).doTest();
+    }
+
+    private void negative(String variant) throws Exception {
+        compilationHelper.addSourceLines(
+                "Bean.java",
+                "import com.fasterxml.jackson.annotation.JsonTypeInfo;",
+                "@JsonTypeInfo(use = " + variant + ")",
+                "class Bean {}"
+        ).doTest();
+    }
+}
diff --git a/versions.props b/versions.props
@@ -16,3 +16,4 @@ org.apache.commons:commons-io = 1.3.2
 org.assertj:assertj-core = 3.5.2
 org.hamcrest:hamcrest-core = 1.3
 org.mockito:mockito-core = 1.10.19
+com.fasterxml.jackson.*:* = 2.6.7