From fba876b60738581642ae1978cb9fed5df83b8188 Mon Sep 17 00:00:00 2001 From: Chi Cao Minh Date: Tue, 26 Nov 2019 21:41:14 -0800 Subject: [PATCH] Update jackson to 2.9.10 (#8940) Addresses security vulnerabilities: - sonatype-2016-0397: https://github.com/FasterXML/jackson-core/issues/315 - sonatype-2017-0355: https://github.com/FasterXML/jackson-core/pull/322 --- .../SegmentWithOvershadowedStatus.java | 21 +++++- .../druid/data/input/impl/ParseSpecTest.java | 2 +- .../SegmentWithOvershadowedStatusTest.java | 72 +++++++++++-------- .../druid/indexer/IndexGeneratorJob.java | 3 +- .../auth_test_sys_schema_segments.json | 2 +- licenses.yaml | 36 +--------- pom.xml | 16 +++-- .../druid/query/select/SelectQueryTest.java | 2 +- .../druid/guice/FirehoseModuleTest.java | 4 +- .../segment/indexing/DataSchemaTest.java | 2 +- .../server/log/RequestLoggerProviderTest.java | 2 +- 11 files changed, 86 insertions(+), 76 deletions(-) diff --git a/core/src/main/java/org/apache/druid/timeline/SegmentWithOvershadowedStatus.java b/core/src/main/java/org/apache/druid/timeline/SegmentWithOvershadowedStatus.java index 3f2972fd07e..04c8bf4378b 100644 --- a/core/src/main/java/org/apache/druid/timeline/SegmentWithOvershadowedStatus.java +++ b/core/src/main/java/org/apache/druid/timeline/SegmentWithOvershadowedStatus.java @@ -34,7 +34,7 @@ public class SegmentWithOvershadowedStatus implements Comparable LOAD_SPEC = ImmutableMap.of("something", "or_other"); + private static final boolean OVERSHADOWED = true; private static final int TEST_VERSION = 0x9; + private static final SegmentWithOvershadowedStatus SEGMENT = createSegmentWithOvershadowedStatus(); - @Before - public void setUp() + private static ObjectMapper createObjectMapper() { + ObjectMapper objectMapper = new TestObjectMapper(); InjectableValues.Std injectableValues = new InjectableValues.Std(); injectableValues.addValue(PruneSpecsHolder.class, PruneSpecsHolder.DEFAULT); - MAPPER.setInjectableValues(injectableValues); + objectMapper.setInjectableValues(injectableValues); + return objectMapper; } - @Test - public void testUnwrappedSegmentWithOvershadowedStatusDeserialization() throws Exception + private static SegmentWithOvershadowedStatus createSegmentWithOvershadowedStatus() { - final Interval interval = Intervals.of("2011-10-01/2011-10-02"); - final ImmutableMap loadSpec = ImmutableMap.of("something", "or_other"); - - final DataSegment dataSegment = new DataSegment( + DataSegment dataSegment = new DataSegment( "something", - interval, + INTERVAL, "1", - loadSpec, + LOAD_SPEC, Arrays.asList("dim1", "dim2"), Arrays.asList("met1", "met2"), NoneShardSpec.instance(), @@ -74,42 +74,58 @@ public class SegmentWithOvershadowedStatusTest 1 ); - final SegmentWithOvershadowedStatus segment = new SegmentWithOvershadowedStatus(dataSegment, false); + return new SegmentWithOvershadowedStatus(dataSegment, OVERSHADOWED); + } + @Test + public void testUnwrappedSegmentWithOvershadowedStatusDeserialization() throws Exception + { final Map objectMap = MAPPER.readValue( - MAPPER.writeValueAsString(segment), + MAPPER.writeValueAsString(SEGMENT), JacksonUtils.TYPE_REFERENCE_MAP_STRING_OBJECT ); Assert.assertEquals(11, objectMap.size()); Assert.assertEquals("something", objectMap.get("dataSource")); - Assert.assertEquals(interval.toString(), objectMap.get("interval")); + Assert.assertEquals(INTERVAL.toString(), objectMap.get("interval")); Assert.assertEquals("1", objectMap.get("version")); - Assert.assertEquals(loadSpec, objectMap.get("loadSpec")); + Assert.assertEquals(LOAD_SPEC, objectMap.get("loadSpec")); Assert.assertEquals("dim1,dim2", objectMap.get("dimensions")); Assert.assertEquals("met1,met2", objectMap.get("metrics")); Assert.assertEquals(ImmutableMap.of("type", "none"), objectMap.get("shardSpec")); Assert.assertEquals(TEST_VERSION, objectMap.get("binaryVersion")); Assert.assertEquals(1, objectMap.get("size")); - Assert.assertEquals(false, objectMap.get("overshadowed")); + Assert.assertEquals(OVERSHADOWED, objectMap.get("overshadowed")); - final String json = MAPPER.writeValueAsString(segment); + final String json = MAPPER.writeValueAsString(SEGMENT); final TestSegmentWithOvershadowedStatus deserializedSegment = MAPPER.readValue( json, TestSegmentWithOvershadowedStatus.class ); - Assert.assertEquals(segment.getDataSegment().getDataSource(), deserializedSegment.getDataSource()); - Assert.assertEquals(segment.getDataSegment().getInterval(), deserializedSegment.getInterval()); - Assert.assertEquals(segment.getDataSegment().getVersion(), deserializedSegment.getVersion()); - Assert.assertEquals(segment.getDataSegment().getLoadSpec(), deserializedSegment.getLoadSpec()); - Assert.assertEquals(segment.getDataSegment().getDimensions(), deserializedSegment.getDimensions()); - Assert.assertEquals(segment.getDataSegment().getMetrics(), deserializedSegment.getMetrics()); - Assert.assertEquals(segment.getDataSegment().getShardSpec(), deserializedSegment.getShardSpec()); - Assert.assertEquals(segment.getDataSegment().getSize(), deserializedSegment.getSize()); - Assert.assertEquals(segment.getDataSegment().getId(), deserializedSegment.getId()); + DataSegment dataSegment = SEGMENT.getDataSegment(); + Assert.assertEquals(dataSegment.getDataSource(), deserializedSegment.getDataSource()); + Assert.assertEquals(dataSegment.getInterval(), deserializedSegment.getInterval()); + Assert.assertEquals(dataSegment.getVersion(), deserializedSegment.getVersion()); + Assert.assertEquals(dataSegment.getLoadSpec(), deserializedSegment.getLoadSpec()); + Assert.assertEquals(dataSegment.getDimensions(), deserializedSegment.getDimensions()); + Assert.assertEquals(dataSegment.getMetrics(), deserializedSegment.getMetrics()); + Assert.assertEquals(dataSegment.getShardSpec(), deserializedSegment.getShardSpec()); + Assert.assertEquals(dataSegment.getSize(), deserializedSegment.getSize()); + Assert.assertEquals(dataSegment.getId(), deserializedSegment.getId()); + } + // Previously, the implementation of SegmentWithOvershadowedStatus had @JsonCreator/@JsonProperty and @JsonUnwrapped + // on the same field (dataSegment), which used to work in Jackson 2.6, but does not work with Jackson 2.9: + // https://github.com/FasterXML/jackson-databind/issues/265#issuecomment-264344051 + @Test + public void testJsonCreatorAndJsonUnwrappedAnnotationsAreCompatible() throws Exception + { + String json = MAPPER.writeValueAsString(SEGMENT); + SegmentWithOvershadowedStatus segment = MAPPER.readValue(json, SegmentWithOvershadowedStatus.class); + Assert.assertEquals(SEGMENT, segment); + Assert.assertEquals(json, MAPPER.writeValueAsString(segment)); } } diff --git a/indexing-hadoop/src/main/java/org/apache/druid/indexer/IndexGeneratorJob.java b/indexing-hadoop/src/main/java/org/apache/druid/indexer/IndexGeneratorJob.java index 20ad15d6e8e..8c837344021 100644 --- a/indexing-hadoop/src/main/java/org/apache/druid/indexer/IndexGeneratorJob.java +++ b/indexing-hadoop/src/main/java/org/apache/druid/indexer/IndexGeneratorJob.java @@ -77,6 +77,7 @@ import org.joda.time.Interval; import java.io.File; import java.io.FileNotFoundException; import java.io.IOException; +import java.io.InputStream; import java.nio.ByteBuffer; import java.util.ArrayList; import java.util.Iterator; @@ -117,7 +118,7 @@ public class IndexGeneratorJob implements Jobby FileSystem fs = descriptorInfoDir.getFileSystem(conf); for (FileStatus status : fs.listStatus(descriptorInfoDir)) { - final DataSegment segment = jsonMapper.readValue(fs.open(status.getPath()), DataSegment.class); + final DataSegment segment = jsonMapper.readValue((InputStream) fs.open(status.getPath()), DataSegment.class); publishedSegmentsBuilder.add(segment); log.info("Adding segment %s to the list of published segments", segment.getId()); } diff --git a/integration-tests/src/test/resources/results/auth_test_sys_schema_segments.json b/integration-tests/src/test/resources/results/auth_test_sys_schema_segments.json index 4437e725e28..a169cfe8736 100644 --- a/integration-tests/src/test/resources/results/auth_test_sys_schema_segments.json +++ b/integration-tests/src/test/resources/results/auth_test_sys_schema_segments.json @@ -13,6 +13,6 @@ "is_available": 1, "is_realtime": 0, "is_overshadowed": 0, - "payload": "{\"dataSource\":\"auth_test\",\"interval\":\"2012-12-29T00:00:00.000Z/2013-01-10T08:00:00.000Z\",\"version\":\"2013-01-10T08:13:47.830Z_v9\",\"loadSpec\":{\"load spec is pruned, because it's not needed on Brokers, but eats a lot of heap space\":\"\"},\"dimensions\":\"anonymous,area_code,city,continent_code,country_name,dma_code,geo,language,namespace,network,newpage,page,postal_code,region_lookup,robot,unpatrolled,user\",\"metrics\":\"added,count,deleted,delta,delta_hist,unique_users,variation\",\"shardSpec\":{\"type\":\"none\"},\"binaryVersion\":9,\"size\":446027801,\"identifier\":\"auth_test_2012-12-29T00:00:00.000Z_2013-01-10T08:00:00.000Z_2013-01-10T08:13:47.830Z_v9\",\"overshadowed\":false}" + "payload": "{\"overshadowed\":false,\"dataSource\":\"auth_test\",\"interval\":\"2012-12-29T00:00:00.000Z/2013-01-10T08:00:00.000Z\",\"version\":\"2013-01-10T08:13:47.830Z_v9\",\"loadSpec\":{\"load spec is pruned, because it's not needed on Brokers, but eats a lot of heap space\":\"\"},\"dimensions\":\"anonymous,area_code,city,continent_code,country_name,dma_code,geo,language,namespace,network,newpage,page,postal_code,region_lookup,robot,unpatrolled,user\",\"metrics\":\"added,count,deleted,delta,delta_hist,unique_users,variation\",\"shardSpec\":{\"type\":\"none\"},\"binaryVersion\":9,\"size\":446027801,\"identifier\":\"auth_test_2012-12-29T00:00:00.000Z_2013-01-10T08:00:00.000Z_2013-01-10T08:13:47.830Z_v9\"}" } ] diff --git a/licenses.yaml b/licenses.yaml index 467b5b16289..1a25d085785 100644 --- a/licenses.yaml +++ b/licenses.yaml @@ -196,10 +196,11 @@ name: Jackson license_category: binary module: java-core license_name: Apache License version 2.0 -version: 2.6.7 +version: 2.9.10 libraries: - com.fasterxml.jackson.core: jackson-annotations - com.fasterxml.jackson.core: jackson-core + - com.fasterxml.jackson.core: jackson-databind - com.fasterxml.jackson.dataformat: jackson-dataformat-cbor - com.fasterxml.jackson.dataformat: jackson-dataformat-smile - com.fasterxml.jackson.datatype: jackson-datatype-guava @@ -232,37 +233,6 @@ notice: | --- -name: Jackson -license_category: binary -module: java-core -license_name: Apache License version 2.0 -version: 2.6.7.3 -libraries: - - com.fasterxml.jackson.core: jackson-databind -notice: | - # Jackson JSON processor - - Jackson is a high-performance, Free/Open Source JSON processing library. - It was originally written by Tatu Saloranta (tatu.saloranta@iki.fi), and has - been in development since 2007. - It is currently developed by a community of developers, as well as supported - commercially by FasterXML.com. - - ## Licensing - - Jackson core and extension components may licensed under different licenses. - To find the details that apply to this artifact see the accompanying LICENSE file. - For more information, including possible other licensing options, contact - FasterXML.com (http://fasterxml.com). - - ## Credits - - A list of contributors may be found from CREDITS file, which is included - in some artifacts (usually source distributions); but is always available - from the source code management (SCM) system project uses. - ---- - name: Caffeine license_category: binary module: java-core @@ -1165,7 +1135,7 @@ name: Apache Calcite Avatica license_category: binary module: java-core license_name: Apache License version 2.0 -version: 1.12.0 +version: 1.15.0 libraries: - org.apache.calcite.avatica: avatica-core - org.apache.calcite.avatica: avatica-metrics diff --git a/pom.xml b/pom.xml index 5dfa4d009ff..d3cacfb1313 100644 --- a/pom.xml +++ b/pom.xml @@ -78,7 +78,7 @@ 0.9.0.M2 4.1.0 2.12.0 - 1.12.0 + 1.15.0 1.9.1 1.21.0 10.14.2.0 @@ -88,8 +88,7 @@ 1.3 9.4.12.v20180830 1.19.3 - - 2.6.7 + 2.9.10 1.9.13 2.8.2 3.10.6.Final @@ -429,7 +428,7 @@ com.fasterxml.jackson.core jackson-databind - ${jackson.version}.3 + ${jackson.version} com.fasterxml.jackson.datatype @@ -441,6 +440,15 @@ jackson-datatype-joda ${jackson.version} + + + com.fasterxml.jackson.dataformat + jackson-dataformat-cbor + ${jackson.version} + com.fasterxml.jackson.dataformat jackson-dataformat-smile diff --git a/processing/src/test/java/org/apache/druid/query/select/SelectQueryTest.java b/processing/src/test/java/org/apache/druid/query/select/SelectQueryTest.java index d3814007428..9c2db04b1f1 100644 --- a/processing/src/test/java/org/apache/druid/query/select/SelectQueryTest.java +++ b/processing/src/test/java/org/apache/druid/query/select/SelectQueryTest.java @@ -53,7 +53,7 @@ public class SelectQueryTest { final String exceptionMessage = StringUtils.format( - "Instantiation of [simple type, class org.apache.druid.query.select.SelectQuery] value failed: %s", + "Cannot construct instance of `org.apache.druid.query.select.SelectQuery`, problem: %s", SelectQuery.REMOVED_ERROR_MESSAGE ); expectedException.expect(JsonMappingException.class); diff --git a/server/src/test/java/org/apache/druid/guice/FirehoseModuleTest.java b/server/src/test/java/org/apache/druid/guice/FirehoseModuleTest.java index e4f034032e0..8ecc93dece2 100644 --- a/server/src/test/java/org/apache/druid/guice/FirehoseModuleTest.java +++ b/server/src/test/java/org/apache/druid/guice/FirehoseModuleTest.java @@ -19,7 +19,6 @@ package org.apache.druid.guice; -import com.fasterxml.jackson.databind.AnnotationIntrospector; import com.fasterxml.jackson.databind.Module; import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.cfg.MapperConfig; @@ -69,8 +68,7 @@ public class FirehoseModuleTest { Class parentClass = FirehoseFactory.class; MapperConfig config = objectMapper.getDeserializationConfig(); - AnnotationIntrospector annotationIntrospector = config.getAnnotationIntrospector(); - AnnotatedClass ac = AnnotatedClass.constructWithoutSuperTypes(parentClass, annotationIntrospector, config); + AnnotatedClass ac = AnnotatedClass.constructWithoutSuperTypes(parentClass, config); Collection subtypes = objectMapper.getSubtypeResolver().collectAndResolveSubtypesByClass(config, ac); Assert.assertNotNull(subtypes); return subtypes.stream() diff --git a/server/src/test/java/org/apache/druid/segment/indexing/DataSchemaTest.java b/server/src/test/java/org/apache/druid/segment/indexing/DataSchemaTest.java index 29842276bad..de674ae5fcf 100644 --- a/server/src/test/java/org/apache/druid/segment/indexing/DataSchemaTest.java +++ b/server/src/test/java/org/apache/druid/segment/indexing/DataSchemaTest.java @@ -282,7 +282,7 @@ public class DataSchemaTest expectedException.expect(CoreMatchers.instanceOf(IllegalArgumentException.class)); expectedException.expectCause(CoreMatchers.instanceOf(JsonMappingException.class)); expectedException.expectMessage( - "Instantiation of [simple type, class org.apache.druid.data.input.impl.StringInputRowParser] value failed: parseSpec" + "Cannot construct instance of `org.apache.druid.data.input.impl.StringInputRowParser`, problem: parseSpec" ); // Jackson creates a default type parser (StringInputRowParser) for an invalid type. diff --git a/server/src/test/java/org/apache/druid/server/log/RequestLoggerProviderTest.java b/server/src/test/java/org/apache/druid/server/log/RequestLoggerProviderTest.java index 49142550a66..0f9ece45a11 100644 --- a/server/src/test/java/org/apache/druid/server/log/RequestLoggerProviderTest.java +++ b/server/src/test/java/org/apache/druid/server/log/RequestLoggerProviderTest.java @@ -85,7 +85,7 @@ public class RequestLoggerProviderTest ); expectedException.expect(ProvisionException.class); - expectedException.expectMessage("missing property 'type'"); + expectedException.expectMessage("missing type id property 'type'"); configurator.configurate( properties,