Skip to content

After upgrade to spring batch 4.2.4 the application fails to getJobExecution #3733

Closed
@oferfg4a

Description

@oferfg4a

As part of cve-2020-5411 that found for spring batch 4.0.3 we need to upgrade spring batch to 4.2.4. our environment contains Spring boot 2.0.9 with springframework 5.0.13 and now upgraded spring-batch to 4.2.4 (java version 1.8.0_202).

I have created new environment based on this setup that create workflow. In some point the code is trying to "getJobExecution" and fails with the following error:

java.lang.IllegalArgumentException: The class with com.emc.cloud_dr.cdr.commons.common_models.restore_service.VmFilesDescriptor and name of com.emc.cloud_dr.cdr.commons.common_models.restore_service.VmFilesDescriptor is not trusted. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or a custom ObjectMapper. If the serialization is only done by a trusted source, you can also enable default typing. at org.springframework.batch.core.repository.dao.Jackson2ExecutionContextStringSerializer$TrustedTypeIdResolver.typeFromId(Jackson2ExecutionContextStringSerializer.java:329) at com.fasterxml.jackson.databind.jsontype.impl.TypeDeserializerBase._findDeserializer(TypeDeserializerBase.java:156) at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:113) at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:97) at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromAny(AsPropertyTypeDeserializer.java:193) at com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla.deserializeWithType(UntypedObjectDeserializer.java:712) at com.fasterxml.jackson.databind.deser.std.MapDeserializer._readAndBindStringKeyMap(MapDeserializer.java:529) ... 127 common frames omitted Wrapped by: com.fasterxml.jackson.databind.JsonMappingException: The class with com.emc.cloud_dr.cdr.commons.common_models.restore_service.VmFilesDescriptor and name of com.emc.cloud_dr.cdr.commons.common_models.restore_service.VmFilesDescriptor is not trusted. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or a custom ObjectMapper. If the serialization is only done by a trusted source, you can also enable default typing. (through reference chain: java.util.HashMap["vmFilesDescriptor"]) at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:397) at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:356) at com.fasterxml.jackson.databind.deser.std.ContainerDeserializerBase.wrapAndThrow(ContainerDeserializerBase.java:181) at com.fasterxml.jackson.databind.deser.std.MapDeserializer._readAndBindStringKeyMap(MapDeserializer.java:539) at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:364) at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:29) at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:130) at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:97) at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserializeWithType(MapDeserializer.java:400) at com.fasterxml.jackson.databind.deser.impl.TypeWrappedDeserializer.deserialize(TypeWrappedDeserializer.java:68) at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4218) at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3259) at org.springframework.batch.core.repository.dao.Jackson2ExecutionContextStringSerializer.deserialize(Jackson2ExecutionContextStringSerializer.java:123) at org.springframework.batch.core.repository.dao.Jackson2ExecutionContextStringSerializer.deserialize(Jackson2ExecutionContextStringSerializer.java:102) at org.springframework.batch.core.repository.dao.JdbcExecutionContextDao$ExecutionContextRowMapper.mapRow(JdbcExecutionContextDao.java:325) ... 116 common frames omitted Wrapped by: java.lang.IllegalArgumentException: Unable to deserialize the execution context at org.springframework.batch.core.repository.dao.JdbcExecutionContextDao$ExecutionContextRowMapper.mapRow(JdbcExecutionContextDao.java:328) at org.springframework.batch.core.repository.dao.JdbcExecutionContextDao$ExecutionContextRowMapper.mapRow(JdbcExecutionContextDao.java:312) at org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:93) at org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:60) at org.springframework.jdbc.core.JdbcTemplate$1.doInPreparedStatement(JdbcTemplate.java:666) at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:604) at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:656) at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:687) at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:699) at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:755) at org.springframework.batch.core.repository.dao.JdbcExecutionContextDao.getExecutionContext(JdbcExecutionContextDao.java:114) at org.springframework.batch.core.explore.support.SimpleJobExplorer.getJobExecutionDependencies(SimpleJobExplorer.java:232) at org.springframework.batch.core.explore.support.SimpleJobExplorer.getJobExecution(SimpleJobExplorer.java:141) at com.emc.cloud_dr.infra.workflow.utils.JobExecutionUtil.getJobExecutionOptional(JobExecutionUtil.java:118)

I have tried to activate default typing with PolymorphicTypeValidator but it failed to solve the issue.
I tried to downgrade to 4.2.3 but similar issue happend.

PolymorphicTypeValidator ptv = BasicPolymorphicTypeValidator .builder() .allowIfBaseType("com.emc.cloud_dr.") .allowIfBaseType("java.util.") .build(); objectMapper.activateDefaultTyping(ptv, ObjectMapper.DefaultTyping.NON_FINAL);

Bug description
create a workflow that persist several jobParameters
in some stage getJobExecution
failure occur

Environment
Please provide as many details as possible: Spring Batch version, Java version, which database you use if any, etc

spring batch 4.2.4. Spring boot 2.0.9 with springframework 5.0.13 .java version 1.8.0_202. H2 DB.

Steps to reproduce
create a workflow that persist several jobParameters
in some stage getJobExecution
failure occur

Expected behavior
get the job execution and continue as before.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions