Fix critical security issues

[externalapi/nbi.git] / src / main / java / org / onap / nbi / commons / JacksonFilter.java

diff --git a/src/main/java/org/onap/nbi/commons/JacksonFilter.java b/src/main/java/org/onap/nbi/commons/JacksonFilter.java
index bc173c3..97f6cf2 100644 (file)
--- a/src/main/java/org/onap/nbi/commons/JacksonFilter.java
+++ b/src/main/java/org/onap/nbi/commons/JacksonFilter.java
@@ -1,5 +1,21 @@
+/**
+ *     Copyright (c) 2018 Orange
+ *
+ *     Licensed under the Apache License, Version 2.0 (the "License");
+ *     you may not use this file except in compliance with the License.
+ *     You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *     Unless required by applicable law or agreed to in writing, software
+ *     distributed under the License is distributed on an "AS IS" BASIS,
+ *     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *     See the License for the specific language governing permissions and
+ *     limitations under the License.
+ */
 package org.onap.nbi.commons;
 
+import com.fasterxml.jackson.databind.MappingJsonFactory;
 import java.math.BigDecimal;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -18,8 +34,10 @@ import com.fasterxml.jackson.databind.node.ObjectNode;
 
 public class JacksonFilter {
 
-    private final static List<String> SKIPPED_FIELDS = Arrays.asList("internalId");
+    private static final List<String> SKIPPED_FIELDS = Arrays.asList("internalId");
 
+    private JacksonFilter() {
+    }
 
     public static <R> List<ObjectNode> createNodes(List<R> list, JsonRepresentation jsonRepresentation) {
 
@@ -42,7 +60,7 @@ public class JacksonFilter {
     }
 
     public static <R> ObjectNode createNode(R bean, JsonRepresentation jsonRepresentation) {
-        ObjectMapper mapper = new ObjectMapper();
+        ObjectMapper mapper = new ObjectMapper(new MappingJsonFactory());
         return JacksonFilter.createNode(mapper, bean, jsonRepresentation.getAttributes());
     }
 
@@ -50,7 +68,7 @@ public class JacksonFilter {
         // split fieldNames in 2 categories :
         // simpleFields for simple property names with no '.'
         // nestedFields for nested property names with a '.'
-        Set<String> simpleFields = new LinkedHashSet<String>();
+        Set<String> simpleFields = new LinkedHashSet<>();
         MultiValueMap nestedFields = new LinkedMultiValueMap();
         buildFields(names, simpleFields, nestedFields);
 
@@ -71,7 +89,7 @@ public class JacksonFilter {
                 if (nestedBean == null) {
                     continue;
                 }
-                Set<String> nestedFieldNames = new LinkedHashSet<String>(entry.getValue());
+                Set<String> nestedFieldNames = new LinkedHashSet<>(entry.getValue());
                 // current node is an array or a list
                 if ((nestedBean.getClass().isArray()) || (Collection.class.isAssignableFrom(nestedBean.getClass()))) {
                     handleListNode(mapper, rootNode, rootFieldName, nestedBean, nestedFieldNames);
@@ -118,7 +136,7 @@ public class JacksonFilter {
         if (array.length > 0) {
             // create a node for each element in array
             // and add created node in an arrayNode
-            Collection<JsonNode> nodes = new LinkedList<JsonNode>();
+            Collection<JsonNode> nodes = new LinkedList<>();
             for (Object object : array) {
                 ObjectNode nestedNode = JacksonFilter.createNode(mapper, object, nestedFieldNames);
                 if ((nestedNode != null) && (nestedNode.size() > 0)) {