From c0b8211c4fd4143178648d62639502da5d784489 Mon Sep 17 00:00:00 2001 From: Mahmoud Ben Hassine Date: Tue, 17 May 2022 11:26:00 +0200 Subject: [PATCH] Add java.util.UUID to trusted classes in Jackson serializer This class is safe to deserialize according to Jackson: https://github.com/FasterXML/jackson-databind/blob/master/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java This also has been checked against Jackson 2.11 to confirm the backport of this enhancement to 4.3.x. Resolves #4110 --- .../dao/Jackson2ExecutionContextStringSerializer.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/spring-batch-core/src/main/java/org/springframework/batch/core/repository/dao/Jackson2ExecutionContextStringSerializer.java b/spring-batch-core/src/main/java/org/springframework/batch/core/repository/dao/Jackson2ExecutionContextStringSerializer.java index 01a6053e88..56e1e2f20f 100644 --- a/spring-batch-core/src/main/java/org/springframework/batch/core/repository/dao/Jackson2ExecutionContextStringSerializer.java +++ b/spring-batch-core/src/main/java/org/springframework/batch/core/repository/dao/Jackson2ExecutionContextStringSerializer.java @@ -1,5 +1,5 @@ /* - * Copyright 2008-2021 the original author or authors. + * Copyright 2008-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -257,6 +257,7 @@ protected TypeIdResolver idResolver(MapperConfig config, */ static class TrustedTypeIdResolver implements TypeIdResolver { private static final Set TRUSTED_CLASS_NAMES = Collections.unmodifiableSet(new HashSet<>(Arrays.asList( + "java.util.UUID", "java.util.ArrayList", "java.util.Arrays$ArrayList", "java.util.LinkedList",