Skip to content

Jackson configuration in 4.2.4 broke deserialization #3732

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
awesomekosm opened this issue Jun 22, 2020 · 5 comments
Closed

Jackson configuration in 4.2.4 broke deserialization #3732

awesomekosm opened this issue Jun 22, 2020 · 5 comments
Labels
status: waiting-for-triage Issues that we did not analyse yet type: bug

Comments

@awesomekosm
Copy link

Bug description
#3729 ported to 4.2.4 and pulled in springboot 2.3.1 broke old jobs context.

Environment
Spring Batch 2.3.1, jdk 11, PostgreSQL

Steps to reproduce

  1. Configure and run a job with springboot 2.3.0.
  2. call jobExplorer.getJobExecution(executionId) using execution id of a job ran in a previous step
  3. Bump springboot to 2.3.1
  4. call jobExplorer.getJobExecution(executionId) using execution id of a job ran in a previous step
  5. Expect a stacktrace
java.lang.IllegalArgumentException: Unable to deserialize the execution context
  at org.springframework.batch.core.repository.dao.JdbcExecutionContextDao$ExecutionContextRowMapper.mapRow(JdbcExecutionContextDao.java:328) ~[spring-batch-core-4.2.4.RELEASE.jar:4.2.4.RELEASE]
  at org.springframework.batch.core.repository.dao.JdbcExecutionContextDao$ExecutionContextRowMapper.mapRow(JdbcExecutionContextDao.java:312) ~[spring-batch-core-4.2.4.RELEASE.jar:4.2.4.RELEASE]
  at org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:94) ~[spring-jdbc-5.2.7.RELEASE.jar:5.2.7.RELEASE]
  at org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:61) ~[spring-jdbc-5.2.7.RELEASE.jar:5.2.7.RELEASE]
  at org.springframework.jdbc.core.JdbcTemplate$1.doInPreparedStatement(JdbcTemplate.java:679) ~[spring-jdbc-5.2.7.RELEASE.jar:5.2.7.RELEASE]
  at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:617) ~[spring-jdbc-5.2.7.RELEASE.jar:5.2.7.RELEASE]
  at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:669) ~[spring-jdbc-5.2.7.RELEASE.jar:5.2.7.RELEASE]
  at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:700) ~[spring-jdbc-5.2.7.RELEASE.jar:5.2.7.RELEASE]
  at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:712) ~[spring-jdbc-5.2.7.RELEASE.jar:5.2.7.RELEASE]
  at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:768) ~[spring-jdbc-5.2.7.RELEASE.jar:5.2.7.RELEASE]
  at org.springframework.batch.core.repository.dao.JdbcExecutionContextDao.getExecutionContext(JdbcExecutionContextDao.java:114) ~[spring-batch-core-4.2.4.RELEASE.jar:4.2.4.RELEASE]
  at org.springframework.batch.core.explore.support.SimpleJobExplorer.getJobExecutionDependencies(SimpleJobExplorer.java:232) ~[spring-batch-core-4.2.4.RELEASE.jar:4.2.4.RELEASE]
  at org.springframework.batch.core.explore.support.SimpleJobExplorer.getJobExecution(SimpleJobExplorer.java:141) ~[spring-batch-core-4.2.4.RELEASE.jar:4.2.4.RELEASE]
  at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
  at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:na]
  at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
  at java.base/java.lang.reflect.Method.invoke(Method.java:566) ~[na:na]
  at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344) ~[spring-aop-5.2.7.RELEASE.jar:5.2.7.RELEASE]
  at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198) ~[spring-aop-5.2.7.RELEASE.jar:5.2.7.RELEASE]
  at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.2.7.RELEASE.jar:5.2.7.RELEASE]
  at org.springframework.batch.core.configuration.annotation.SimpleBatchConfiguration$PassthruAdvice.invoke(SimpleBatchConfiguration.java:127) ~[spring-batch-core-4.2.4.RELEASE.jar:4.2.4.RELEASE]
  at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.2.7.RELEASE.jar:5.2.7.RELEASE]
  at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212) ~[spring-aop-5.2.7.RELEASE.jar:5.2.7.RELEASE]
  at com.sun.proxy.$Proxy123.getJobExecution(Unknown Source) ~[na:na]

SKIPPED trace

Caused by: com.fasterxml.jackson.databind.exc.InvalidTypeIdException: Missing type id when trying to resolve subtype of [map type; class java.util.HashMap, [simple type, class java.lang.String] -> [simple type, class java.lang.Object]]: missing type id property '@class'
 at [Source: (ByteArrayInputStream); line: 1, column: 2]
  at com.fasterxml.jackson.databind.exc.InvalidTypeIdException.from(InvalidTypeIdException.java:43) ~[jackson-databind-2.11.0.jar:2.11.0]
  at com.fasterxml.jackson.databind.DeserializationContext.missingTypeIdException(DeserializationContext.java:1790) ~[jackson-databind-2.11.0.jar:2.11.0]
  at com.fasterxml.jackson.databind.DeserializationContext.handleMissingTypeId(DeserializationContext.java:1319) ~[jackson-databind-2.11.0.jar:2.11.0]
  at com.fasterxml.jackson.databind.jsontype.impl.TypeDeserializerBase._handleMissingTypeId(TypeDeserializerBase.java:303) ~[jackson-databind-2.11.0.jar:2.11.0]
  at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedUsingDefaultImpl(AsPropertyTypeDeserializer.java:166) ~[jackson-databind-2.11.0.jar:2.11.0]
  at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:107) ~[jackson-databind-2.11.0.jar:2.11.0]
  at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserializeWithType(MapDeserializer.java:400) ~[jackson-databind-2.11.0.jar:2.11.0]
  at com.fasterxml.jackson.databind.deser.impl.TypeWrappedDeserializer.deserialize(TypeWrappedDeserializer.java:68) ~[jackson-databind-2.11.0.jar:2.11.0]
  at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4482) ~[jackson-databind-2.11.0.jar:2.11.0]
  at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3479) ~[jackson-databind-2.11.0.jar:2.11.0]
  at org.springframework.batch.core.repository.dao.Jackson2ExecutionContextStringSerializer.deserialize(Jackson2ExecutionContextStringSerializer.java:123) ~[spring-batch-core-4.2.4.RELEASE.jar:4.2.4.RELEASE]
  at org.springframework.batch.core.repository.dao.Jackson2ExecutionContextStringSerializer.deserialize(Jackson2ExecutionContextStringSerializer.java:102) ~[spring-batch-core-4.2.4.RELEASE.jar:4.2.4.RELEASE]
  at org.springframework.batch.core.repository.dao.JdbcExecutionContextDao$ExecutionContextRowMapper.mapRow(JdbcExecutionContextDao.java:325) ~[spring-batch-core-4.2.4.RELEASE.jar:4.2.4.RELEASE]
  ... 128 common frames omitted

batch_job_execution_context table values change. All job executions before 886 blow up with above.
image

Expected behavior
No exception occurs in deserialization
@awesomekosm awesomekosm added status: waiting-for-triage Issues that we did not analyse yet type: bug labels Jun 22, 2020
@mminella
Copy link
Member

@Z-EMB This is due to a fix we applied to address CVE-2020-5411. The javadoc for the Jackson2ExecutionContextStringSerializer calls out the options for this situation. I'm closing this issue now. If one of those options do not work for you, then please re-open the issue and we can dig in further.

@awesomekosm
Copy link
Author

@mminella Fixing a security vulnerability makes sense.

But this is a patch version change in spring batch. It is unexpected to have an exception occur.

If this was a major version upgrade, I'd be happy to introduce my own object mapper to make sure it's backwards compatible.

@mminella
Copy link
Member

@Z-EMB If there was a way to fix it without a code change, we would be happy to do so, however this is the only way to fix the CVE. Given that the Spring Batch 4.2 line is still supported, we had to make this change there. We do regret the inconvenience it will cause but I think everyone would agree that the update is worth running the most secure library possible. To be clear, you can re-configure your ObjectMapper implementation to be configured the same as it was before the change if you are 100% sure you are not at risk for that vulnerability.

@mminella mminella mentioned this issue Jun 23, 2020
Closed
@fprochazka fprochazka mentioned this issue Aug 24, 2020
Closed
@sydseter sydseter mentioned this issue Sep 27, 2020
Closed
@fmbenhassine fmbenhassine mentioned this issue Jan 5, 2021
Closed
@de-jcup de-jcup mentioned this issue Jan 11, 2021
Closed
@hpoettker hpoettker mentioned this issue Jan 31, 2022
Closed
@moulikrishna55
Copy link

we have recently migrated our batch from 4.2.1 to 4.3.5 and we are seeing that Jackson configuration in 4.3.5 broke deserialization we tried clearing up our batch tables but that didn't solve our issue can some one suggest us ?

@moulikrishna55
Copy link

Wierd issue is that even we dropped batch tables and ran out batch job expecting table not found errors but we are still seeing the job was unable to deserialize execution context

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: waiting-for-triage Issues that we did not analyse yet type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mminella @awesomekosm @moulikrishna55