Description
As part of cve-2020-5411 that found for spring batch 4.0.3 we need to upgrade spring batch to 4.2.4. our environment contains Spring boot 2.0.9 with springframework 5.0.13 and now upgraded spring-batch to 4.2.4 (java version 1.8.0_202).
I have created new environment based on this setup that create workflow. In some point the code is trying to "getJobExecution" and fails with the following error:
java.lang.IllegalArgumentException: The class with com.emc.cloud_dr.cdr.commons.common_models.restore_service.VmFilesDescriptor and name of com.emc.cloud_dr.cdr.commons.common_models.restore_service.VmFilesDescriptor is not trusted. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or a custom ObjectMapper. If the serialization is only done by a trusted source, you can also enable default typing. at org.springframework.batch.core.repository.dao.Jackson2ExecutionContextStringSerializer$TrustedTypeIdResolver.typeFromId(Jackson2ExecutionContextStringSerializer.java:329) at com.fasterxml.jackson.databind.jsontype.impl.TypeDeserializerBase._findDeserializer(TypeDeserializerBase.java:156) at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:113) at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:97) at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromAny(AsPropertyTypeDeserializer.java:193) at com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla.deserializeWithType(UntypedObjectDeserializer.java:712) at com.fasterxml.jackson.databind.deser.std.MapDeserializer._readAndBindStringKeyMap(MapDeserializer.java:529) ... 127 common frames omitted Wrapped by: com.fasterxml.jackson.databind.JsonMappingException: The class with com.emc.cloud_dr.cdr.commons.common_models.restore_service.VmFilesDescriptor and name of com.emc.cloud_dr.cdr.commons.common_models.restore_service.VmFilesDescriptor is not trusted. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or a custom ObjectMapper. If the serialization is only done by a trusted source, you can also enable default typing. (through reference chain: java.util.HashMap["vmFilesDescriptor"]) at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:397) at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:356) at com.fasterxml.jackson.databind.deser.std.ContainerDeserializerBase.wrapAndThrow(ContainerDeserializerBase.java:181) at com.fasterxml.jackson.databind.deser.std.MapDeserializer._readAndBindStringKeyMap(MapDeserializer.java:539) at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:364) at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:29) at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:130) at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:97) at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserializeWithType(MapDeserializer.java:400) at com.fasterxml.jackson.databind.deser.impl.TypeWrappedDeserializer.deserialize(TypeWrappedDeserializer.java:68) at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4218) at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3259) at org.springframework.batch.core.repository.dao.Jackson2ExecutionContextStringSerializer.deserialize(Jackson2ExecutionContextStringSerializer.java:123) at org.springframework.batch.core.repository.dao.Jackson2ExecutionContextStringSerializer.deserialize(Jackson2ExecutionContextStringSerializer.java:102) at org.springframework.batch.core.repository.dao.JdbcExecutionContextDao$ExecutionContextRowMapper.mapRow(JdbcExecutionContextDao.java:325) ... 116 common frames omitted Wrapped by: java.lang.IllegalArgumentException: Unable to deserialize the execution context at org.springframework.batch.core.repository.dao.JdbcExecutionContextDao$ExecutionContextRowMapper.mapRow(JdbcExecutionContextDao.java:328) at org.springframework.batch.core.repository.dao.JdbcExecutionContextDao$ExecutionContextRowMapper.mapRow(JdbcExecutionContextDao.java:312) at org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:93) at org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:60) at org.springframework.jdbc.core.JdbcTemplate$1.doInPreparedStatement(JdbcTemplate.java:666) at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:604) at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:656) at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:687) at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:699) at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:755) at org.springframework.batch.core.repository.dao.JdbcExecutionContextDao.getExecutionContext(JdbcExecutionContextDao.java:114) at org.springframework.batch.core.explore.support.SimpleJobExplorer.getJobExecutionDependencies(SimpleJobExplorer.java:232) at org.springframework.batch.core.explore.support.SimpleJobExplorer.getJobExecution(SimpleJobExplorer.java:141) at com.emc.cloud_dr.infra.workflow.utils.JobExecutionUtil.getJobExecutionOptional(JobExecutionUtil.java:118)
I have tried to activate default typing with PolymorphicTypeValidator but it failed to solve the issue.
I tried to downgrade to 4.2.3 but similar issue happend.
PolymorphicTypeValidator ptv = BasicPolymorphicTypeValidator .builder() .allowIfBaseType("com.emc.cloud_dr.") .allowIfBaseType("java.util.") .build(); objectMapper.activateDefaultTyping(ptv, ObjectMapper.DefaultTyping.NON_FINAL);
Bug description
create a workflow that persist several jobParameters
in some stage getJobExecution
failure occur
Environment
Please provide as many details as possible: Spring Batch version, Java version, which database you use if any, etc
spring batch 4.2.4. Spring boot 2.0.9 with springframework 5.0.13 .java version 1.8.0_202. H2 DB.
Steps to reproduce
create a workflow that persist several jobParameters
in some stage getJobExecution
failure occur
Expected behavior
get the job execution and continue as before.