Update Jackson version to 2.10.0 to avoid default typing CVE.

We are not actually using default typing but better be safe.
danfickle · Oct 9, 2019 · 3cab938 · 3cab938
1 parent 8cc5dde
commit 3cab938
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 12 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,4 @@
-
+.vscode/
 .settings/
 target/
 

diff --git a/pom.xml b/pom.xml
@@ -8,7 +8,7 @@
   <properties>
     <maven.compiler.source>1.8</maven.compiler.source>
     <maven.compiler.target>1.8</maven.compiler.target>
-    <jackson.version>2.9.9</jackson.version>
+    <jackson.version>2.10.0</jackson.version>
   </properties>
   <dependencies>
   	<dependency>
@@ -29,7 +29,7 @@
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
-      <version>2.9.9.2</version>
+      <version>${jackson.version}</version>
     </dependency>
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>

diff --git a/src/main/java/com/openhtmltopdf/projects/resume/Generator.java b/src/main/java/com/openhtmltopdf/projects/resume/Generator.java
@@ -24,7 +24,9 @@
 import org.thymeleaf.TemplateEngine;
 import org.thymeleaf.context.Context;
 
-import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.core.JsonFactory;
+import com.fasterxml.jackson.core.JsonFactoryBuilder;
+import com.fasterxml.jackson.core.json.JsonReadFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.openhtmltopdf.pdfboxout.PdfRendererBuilder;
 
@@ -59,7 +61,7 @@ private Template(String slug) {
 
 	private static final Logger LOGGER = LoggerFactory.getLogger(Generator.class);
 	private static final SecureRandom RANDOM = new SecureRandom();
-	private static final ObjectMapper MAPPER = new ObjectMapper();
+	private static final ObjectMapper MAPPER = new ObjectMapper(createJsonFactory());
 	private static final TemplateEngine THYMELEAF = new TemplateEngine();
 	private static final Map<String, String> langs = new ConcurrentHashMap<>();
 	private static final Map<String, String> templates = new ConcurrentHashMap<>();
@@ -95,13 +97,19 @@ private static void loadEditorPage(Editor e) {
 		}
 	}
 
-	static {
-		MAPPER.enable(JsonParser.Feature.ALLOW_UNQUOTED_FIELD_NAMES);
-		MAPPER.enable(JsonParser.Feature.ALLOW_SINGLE_QUOTES);
-		MAPPER.enable(JsonParser.Feature.ALLOW_MISSING_VALUES);
-		MAPPER.enable(JsonParser.Feature.ALLOW_COMMENTS);
-		MAPPER.enable(JsonParser.Feature.ALLOW_TRAILING_COMMA);
-
+	private static JsonFactory createJsonFactory() {
+		JsonFactoryBuilder builder = new JsonFactoryBuilder();
+
+		builder.enable(JsonReadFeature.ALLOW_MISSING_VALUES);
+		builder.enable(JsonReadFeature.ALLOW_TRAILING_COMMA);
+		builder.enable(JsonReadFeature.ALLOW_UNQUOTED_FIELD_NAMES);
+		builder.enable(JsonReadFeature.ALLOW_SINGLE_QUOTES);
+		builder.enable(JsonReadFeature.ALLOW_JAVA_COMMENTS);
+
+		return builder.build();
+	}
+
+    static {	
 		Stream.of(Editor.values()).forEach(Generator::loadEditorPage);
 		Stream.of(Languages.values()).forEach(Generator::loadLang);
 		Stream.of(Template.values()).forEach(Generator::loadTemplate);