346081 – Insecure behavior of <xml-transient/> vs @XmlTransient

Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 346081 - Insecure behavior of <xml-transient/> vs @XmlTransient

Summary: Insecure behavior of <xml-transient/> vs @XmlTransient

Status:	RESOLVED FIXED

Alias:	None

Product:	z_Archived
Classification:	Eclipse Foundation
Component:	Eclipselink (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P3 minor with 1 vote (vote)
Target Milestone:	---
Assignee:	Nobody - feel free to take it
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-05-17 09:04 EDT by Xyan Kruse
Modified:	2022-06-09 10:35 EDT (History)
CC List:	3 users (show)

See Also:

Attachments
Possible solution (801 bytes, patch) 2011-05-17 10:50 EDT, Xyan Kruse	denise.mahar: iplog+	Details \| Diff
Patch as proposed plus test case (12.68 KB, patch) 2011-05-19 10:37 EDT, Denise Smith	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Xyan Kruse

2011-05-17 09:04:09 EDT

Build Identifier: 2.2.0.v20110202-r8913

While finalizing properties @XmlTransient marked properties got skipped <xml-transient/> marked ones not.
These can break context creation in case the property points to an transient marked class and throws JAXBException.

Exception:
JAXBException - Property [*] in class [*] references a class [*] that is marked transient, which is not allowed.
on: finalizeProperties(AnnotationsProcessor.java:648)

The error is caused on AnnotationsProcessor:
599            // add properties
600            info.setProperties(getPropertiesForClass(javaClass, info));
601
602            // process properties
603            processTypeInfoProperties(javaClass, info);

An possible solution would be when processTypeInfoProperties(*) finds out that a property is transient via orm it should be removed from TypeInfo internal list.

Reproducible: Always

Steps to Reproduce:
1. use orm to mark an property and its type transient
2. try to create an JAXBContext

Comment 1 Xyan Kruse

2011-05-17 10:48:45 EDT

http://dev.eclipse.org/svnroot/rt/org.eclipse.persistence/trunk/moxy/org.eclipse.persistence.moxy/src/org/eclipse/persistence/jaxb/compiler/XMLProcessor.java
Index: XMLProcessor.java
===================================================================
--- XMLProcessor.java	(Revision 9398)
+++ XMLProcessor.java	(Arbeitskopie)
@@ -453,6 +453,10 @@
                 }

                 

                 processJavaAttribute(typeInfo, javaAttribute, propToProcess, nsInfo, javaType);

+                // (Bug 346081) if discover an transient attribute apply same behavior as transient annotation and remove

+                if(propToProcess.isTransient()){

+                    typeInfo.getPropertyList().remove(propToProcess);

+                }

 

                 // if we are dealing with multiple mappings for the same attribute, leave the existing

                 // property as-is and update the additionalProperties list on the owning TypeInfo

Comment 2 Xyan Kruse

2011-05-17 10:50:54 EDT

Created attachment 195868 [details]
Possible solution

Comment 3 Denise Smith

2011-05-19 10:37:25 EDT

Created attachment 196115 [details]
Patch as proposed plus test case

Comment 4 Denise Smith

2011-05-19 10:53:41 EDT

Fixed to remove the property from the list of properties if it is transient as proposed.

Comment 5 Eclipse Webmaster

2022-06-09 10:16:28 EDT

The Eclipselink project has moved to Github: https://github.com/eclipse-ee4j/eclipselink

Comment 6 Eclipse Webmaster

2022-06-09 10:35:27 EDT

The Eclipselink project has moved to Github: https://github.com/eclipse-ee4j/eclipselink