update jackson and jackson-databind to 2.13.3 (#13945)

In jackson-databind 2.10, enabling Default Typing requires having a type validator, and while there's an "allow all" validator called LaissezFaireSubTypeValidator, this commit also tightens the validation a bit by narrowing down the allowed classes.

The default typing validator is only applied to the ObjectMapper for CBOR, which is used in the DLQ, leaving the one for JSON as-is.

Other changes:
* make ingest-converter use versions.yml for jackson-databind
* update jrjackson

logstash-core/src/main/java/org/logstash/ObjectMappers.java

@@ -29,12 +29,14 @@ import com.fasterxml.jackson.databind.JavaType;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.SerializerProvider;
 import com.fasterxml.jackson.databind.deser.std.StdDeserializer;
+import com.fasterxml.jackson.databind.jsontype.PolymorphicTypeValidator;
 import com.fasterxml.jackson.databind.jsontype.TypeSerializer;
 import com.fasterxml.jackson.databind.module.SimpleModule;
 import com.fasterxml.jackson.databind.ser.std.StdScalarSerializer;
 import com.fasterxml.jackson.databind.ser.std.StdSerializer;
 import com.fasterxml.jackson.dataformat.cbor.CBORFactory;
 import com.fasterxml.jackson.dataformat.cbor.CBORGenerator;
+import com.fasterxml.jackson.databind.jsontype.BasicPolymorphicTypeValidator;
 import java.io.IOException;
 import java.math.BigDecimal;
 import java.math.BigInteger;
@@ -70,10 +72,20 @@ public final class ObjectMappers {
     public static final ObjectMapper JSON_MAPPER =
         new ObjectMapper().registerModule(RUBY_SERIALIZERS);
 
+    public static final PolymorphicTypeValidator TYPE_VALIDATOR = BasicPolymorphicTypeValidator.builder()
+            .allowIfBaseType(java.util.HashMap.class)
+            .allowIfSubType(org.jruby.RubyNil.class)
+            .allowIfSubType(org.jruby.RubyString.class)
+            .allowIfSubType(org.logstash.ConvertedMap.class)
+            .allowIfSubType(org.logstash.ConvertedList.class)
+            .allowIfSubType(org.logstash.Timestamp.class)
+            .build();
+
     public static final ObjectMapper CBOR_MAPPER = new ObjectMapper(
         new CBORFactory().configure(CBORGenerator.Feature.WRITE_MINIMAL_INTS, false)
     ).registerModules(RUBY_SERIALIZERS, CBOR_DESERIALIZERS)
-        .enableDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL);
+            .activateDefaultTyping(TYPE_VALIDATOR, ObjectMapper.DefaultTyping.NON_FINAL);
+
 
     /**
      * {@link JavaType} for the {@link HashMap} that {@link Event} is serialized as.

tools/ingest-converter/build.gradle

@@ -24,6 +24,7 @@ def versionMap = (Map) (new Yaml()).load(new File("$projectDir/../../versions.ym
 
 description = """Ingest JSON to Logstash Grok Config Converter"""
 version = versionMap['logstash-core']
+String jacksonDatabindVersion = versionMap['jackson-databind']
 
 repositories {
   mavenCentral()
@@ -42,7 +43,7 @@ buildscript {
 
 dependencies {
   implementation 'net.sf.jopt-simple:jopt-simple:4.6'
-  implementation 'com.fasterxml.jackson.core:jackson-databind:2.13.2'
+  implementation "com.fasterxml.jackson.core:jackson-databind:${jacksonDatabindVersion}"
   testImplementation "junit:junit:4.12"
   testImplementation 'commons-io:commons-io:2.5'
 }

versions.yml

@@ -24,6 +24,6 @@ jruby:
 # Note: this file is copied to the root of logstash-core because its gemspec needs it when
 #       bundler evaluates the gemspec via bin/logstash
 # Ensure Jackson version here is kept in sync with version used by jrjackson gem
-jrjackson: 0.4.14
-jackson: 2.9.10
-jackson-databind: 2.9.10.8
+jrjackson: 0.4.15
+jackson: 2.13.3
+jackson-databind: 2.13.3