Fix #247: add optional enforcement of root element name (#841)

Author: cowtowncoder

release-notes/CREDITS

@@ -39,6 +39,11 @@ Christopher McVay (@mcvayc)
  * Fixed #306: Can not use `@JacksonXmlText` for Creator property (creator parameter)
   (3.2.0)
 
+Leonard Meyer (@LeonardMeyer)
+ * Reported #247: `@JacksonXmlRootElement` does not enforce the local name during
+  deserialization (add `XmlReadFeature.ENFORCE_ROOT_ELEMENT_NAME`)
+  (3.2.0)
+
 Tobias M (@lightbringer)
  * Reported #248: `@JacksonXmlProperty` with attributes raises an exception
    when used with `@JsonIdentityInfo`

release-notes/VERSION

@@ -18,6 +18,10 @@ Version: 3.x (for earlier see VERSION-2.x)
 #192: Two wrapped lists with items of same name conflict
  (reported by @TeemuStenhammar)
  (fix by @cowtowncoder, w/ Claude code)
+#247: `@JacksonXmlRootElement` does not enforce the local name during
+  deserialization (add `XmlReadFeature.ENFORCE_ROOT_ELEMENT_NAME`)
+ (reported by Leonard M)
+ (fix by @cowtowncoder, w/ Claude code)
 #248: `@JacksonXmlProperty` with attributes raises an exception when used
   with `@JsonIdentityInfo`
  (reported by Tobias M)

src/main/java/tools/jackson/dataformat/xml/XmlReadFeature.java

@@ -42,6 +42,24 @@ public enum XmlReadFeature implements FormatFeature
      */
     EMPTY_ELEMENT_AS_NULL(false),
 
+    /**
+     * Feature that controls whether the name of the root XML element is
+     * verified against the expected root name during deserialization. The expected
+     * root name is determined from {@code @JsonRootName}, {@code @JacksonXmlRootElement},
+     * or the simple class name of the target type (in that priority order).
+     *<p>
+     * When enabled, a mismatch between the actual root element name and the expected
+     * name will result in a {@link tools.jackson.databind.exc.MismatchedInputException}.
+     * When disabled (the default), any root element name is accepted.
+     * Note that Fully-Qualified Names (FQN) comparison is used: that is, both local name
+     * and namespace URI must match.
+     *<p>
+     * Default setting is {@code false} for backwards-compatibility.
+     *
+     * @since 3.2
+     */
+    ENFORCE_ROOT_ELEMENT_NAME(false),
+
     /**
      * Feature that indicates whether XML Schema Instance attribute
      * {@code xsi:nil} will be processed automatically -- to indicate {@code null}

src/main/java/tools/jackson/dataformat/xml/deser/XmlDeserializationContext.java

@@ -1,5 +1,7 @@
 package tools.jackson.dataformat.xml.deser;
 
+import javax.xml.namespace.QName;
+
 import tools.jackson.core.FormatSchema;
 import tools.jackson.core.JacksonException;
 import tools.jackson.core.TokenStreamFactory;
@@ -10,8 +12,11 @@
 import tools.jackson.databind.deser.DeserializationContextExt;
 import tools.jackson.databind.deser.DeserializerCache;
 import tools.jackson.databind.deser.DeserializerFactory;
+import tools.jackson.databind.util.ClassUtil;
 import tools.jackson.databind.util.TokenBuffer;
 import tools.jackson.dataformat.xml.XmlFactory;
+import tools.jackson.dataformat.xml.XmlReadFeature;
+import tools.jackson.dataformat.xml.util.XmlRootNameLookup;
 
 /**
  * XML-specific {@link DeserializationContext} needed to override certain
@@ -22,26 +27,39 @@ public class XmlDeserializationContext
 {
     private final String _xmlTextElementName;
 
+    /**
+     * @since 3.2
+     */
+    protected final XmlRootNameLookup _rootNameLookup;
+
     public XmlDeserializationContext(TokenStreamFactory tsf,
             DeserializerFactory deserializerFactory, DeserializerCache cache,
             DeserializationConfig config, FormatSchema schema,
-            InjectableValues values) {
+            InjectableValues values,
+            XmlRootNameLookup rootNameLookup) {
         super(tsf, deserializerFactory, cache,
                 config, schema, values);
         _xmlTextElementName = ((XmlFactory) tsf).getXMLTextElementName();
+        _rootNameLookup = rootNameLookup;
     }
 
     /*
-    /**********************************************************
+    /**********************************************************************
     /* Overrides we need
-    /**********************************************************
+    /**********************************************************************
      */
 
     @Override
     public Object readRootValue(JsonParser p, JavaType valueType,
             ValueDeserializer<Object> deser, Object valueToUpdate)
         throws JacksonException
     {
+        // [dataformat-xml#247]: Verify root element name if feature enabled
+        if (p instanceof FromXmlParser xp
+                && xp.isEnabled(XmlReadFeature.ENFORCE_ROOT_ELEMENT_NAME)) {
+            _verifyRootElementName(xp, valueType);
+        }
+
         // 18-Sep-2021, tatu: Complicated mess; with 2.12, had [dataformat-xml#374]
         //    to disable handling. With 2.13, via [dataformat-xml#485] undid this change
         if (_config.useRootWrapping()) {
@@ -95,4 +113,53 @@ public String extractScalarFromObject(JsonParser p, ValueDeserializer<?> deser,
     public TokenBuffer bufferForInputBuffering(JsonParser p) {
         return XmlTokenBuffer.xmlBufferForInputBuffering(p, this);
     }
+
+    /*
+    /**********************************************************************
+    /* Internal helper methods
+    /**********************************************************************
+     */
+
+    /**
+     * Helper method for [dataformat-xml#247]: verify that the root element name
+     * matches the expected name when {@link XmlReadFeature#ENFORCE_ROOT_ELEMENT_NAME}
+     * is enabled.
+     *
+     * @since 3.2
+     */
+    protected void _verifyRootElementName(FromXmlParser xp, JavaType valueType)
+        throws JacksonException
+    {
+        QName rootName = xp.getRootElementName();
+        if (rootName == null) {
+            return;
+        }
+        String actualName = rootName.getLocalPart();
+        QName expectedQName = _rootNameLookup.findRootName(this, valueType);
+        String expectedName = expectedQName.getLocalPart();
+
+        if (!expectedName.equals(actualName)) {
+            reportPropertyInputMismatch(valueType, actualName,
+                    "Root name \"%s\" does not match expected (\"%s\") for type %s",
+                    actualName, expectedName, ClassUtil.getTypeDescription(valueType));
+        }
+
+        // Also verify namespace URI: must match both ways (unexpected namespace
+        // present, or expected namespace missing)
+        String expectedNs = expectedQName.getNamespaceURI();
+        String actualNs = rootName.getNamespaceURI();
+        boolean expectedEmpty = (expectedNs == null || expectedNs.isEmpty());
+        boolean actualEmpty = (actualNs == null || actualNs.isEmpty());
+
+        if (expectedEmpty != actualEmpty || (!expectedEmpty && !expectedNs.equals(actualNs))) {
+            reportPropertyInputMismatch(valueType, actualName,
+                    "Root namespace \"%s\" does not match expected (\"%s\") for type %s",
+                    _nsDesc(actualNs), _nsDesc(expectedNs),
+                    ClassUtil.getTypeDescription(valueType));
+        }
+    }
+
+    private static String _nsDesc(String ns) {
+        return (ns == null || ns.isEmpty()) ? "" : ns;
+    }
 }

src/main/java/tools/jackson/dataformat/xml/deser/XmlDeserializationContexts.java

@@ -8,30 +8,40 @@
 import tools.jackson.databind.deser.DeserializationContextExt;
 import tools.jackson.databind.deser.DeserializerCache;
 import tools.jackson.databind.deser.DeserializerFactory;
+import tools.jackson.dataformat.xml.util.XmlRootNameLookup;
 
 public class XmlDeserializationContexts
     extends DeserializationContexts
 {
     private static final long serialVersionUID = 3L;
 
-    public XmlDeserializationContexts() { super(); }
-    public XmlDeserializationContexts(TokenStreamFactory tsf,
-            DeserializerFactory serializerFactory, DeserializerCache cache) {
+    protected final transient XmlRootNameLookup _rootNameLookup;
+
+    public XmlDeserializationContexts() {
+        _rootNameLookup = null;
+    }
+
+    protected XmlDeserializationContexts(TokenStreamFactory tsf,
+            DeserializerFactory serializerFactory, DeserializerCache cache,
+            XmlRootNameLookup roots) {
         super(tsf, serializerFactory, cache);
+        _rootNameLookup = roots;
     }
 
     @Override
     public DeserializationContexts forMapper(Object mapper,
             TokenStreamFactory tsf, DeserializerFactory serializerFactory,
             DeserializerCache cache) {
-        return new XmlDeserializationContexts(tsf, serializerFactory, cache);
+        return new XmlDeserializationContexts(tsf, serializerFactory, cache,
+                new XmlRootNameLookup());
     }
 
     @Override
     public DeserializationContextExt createContext(DeserializationConfig config,
             FormatSchema schema, InjectableValues injectables) {
         return new XmlDeserializationContext(_streamFactory,
                 _deserializerFactory, _cache,
-                config, schema, injectables);
+                config, schema, injectables,
+                _rootNameLookup);
     }
 }

src/test/java/tools/jackson/dataformat/xml/deser/RootElementNameValidation247Test.java

@@ -0,0 +1,181 @@
+package tools.jackson.dataformat.xml.deser;
+
+import org.junit.jupiter.api.Test;
+
+import com.fasterxml.jackson.annotation.JsonRootName;
+
+import tools.jackson.databind.DatabindException;
+
+import tools.jackson.dataformat.xml.XmlMapper;
+import tools.jackson.dataformat.xml.XmlReadFeature;
+import tools.jackson.dataformat.xml.XmlTestUtil;
+import tools.jackson.dataformat.xml.annotation.JacksonXmlRootElement;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * Tests for [dataformat-xml#247]: verification of root element name
+ * against expected (from annotation or class name) when
+ * {@link XmlReadFeature#ENFORCE_ROOT_ELEMENT_NAME} is enabled.
+ */
+public class RootElementNameValidation247Test extends XmlTestUtil
+{
+    static class Root {
+        public int value;
+    }
+
+    @JsonRootName("MyRoot")
+    static class AnnotatedRoot {
+        public int value;
+    }
+
+    @JacksonXmlRootElement(localName = "XmlRoot")
+    static class XmlAnnotatedRoot {
+        public int value;
+    }
+
+    @JacksonXmlRootElement(localName = "NsRoot", namespace = "http://example.com/test")
+    static class NamespacedRoot {
+        public int value;
+    }
+
+    private final XmlMapper ENFORCING_MAPPER = XmlMapper.builder()
+            .enable(XmlReadFeature.ENFORCE_ROOT_ELEMENT_NAME)
+            .build();
+
+    private final XmlMapper DEFAULT_MAPPER = newMapper();
+
+    // Matching class name should pass
+    @Test
+    public void testMatchingClassNameSucceeds() throws Exception
+    {
+        Root root = ENFORCING_MAPPER.readValue(
+                "<Root><value>42</value></Root>", Root.class);
+        assertEquals(42, root.value);
+    }
+
+    // Mismatched root name should fail when feature is enabled
+    @Test
+    public void testMismatchedNameFails() throws Exception
+    {
+        DatabindException e = assertThrows(DatabindException.class, () ->
+            ENFORCING_MAPPER.readValue(
+                    "<Boot><value>42</value></Boot>", Root.class));
+        verifyException(e, "Root name");
+        verifyException(e, "Boot");
+        verifyException(e, "Root");
+    }
+
+    // Mismatched root name should succeed when feature is disabled (default)
+    @Test
+    public void testMismatchedNameSucceedsWhenDisabled() throws Exception
+    {
+        Root root = DEFAULT_MAPPER.readValue(
+                "<Boot><value>42</value></Boot>", Root.class);
+        assertEquals(42, root.value);
+    }
+
+    // @JsonRootName annotation should be used for expected name
+    @Test
+    public void testJsonRootNameAnnotation() throws Exception
+    {
+        AnnotatedRoot root = ENFORCING_MAPPER.readValue(
+                "<MyRoot><value>42</value></MyRoot>", AnnotatedRoot.class);
+        assertEquals(42, root.value);
+    }
+
+    @Test
+    public void testJsonRootNameAnnotationMismatch() throws Exception
+    {
+        DatabindException e = assertThrows(DatabindException.class, () ->
+            ENFORCING_MAPPER.readValue(
+                    "<AnnotatedRoot><value>42</value></AnnotatedRoot>",
+                    AnnotatedRoot.class));
+        verifyException(e, "Root name");
+        verifyException(e, "AnnotatedRoot");
+        verifyException(e, "MyRoot");
+    }
+
+    // @JacksonXmlRootElement annotation should be used for expected name
+    @Test
+    public void testJacksonXmlRootElementAnnotation() throws Exception
+    {
+        XmlAnnotatedRoot root = ENFORCING_MAPPER.readValue(
+                "<XmlRoot><value>42</value></XmlRoot>", XmlAnnotatedRoot.class);
+        assertEquals(42, root.value);
+    }
+
+    @Test
+    public void testJacksonXmlRootElementAnnotationMismatch() throws Exception
+    {
+        DatabindException e = assertThrows(DatabindException.class, () ->
+            ENFORCING_MAPPER.readValue(
+                    "<WrongName><value>42</value></WrongName>",
+                    XmlAnnotatedRoot.class));
+        verifyException(e, "Root name");
+        verifyException(e, "WrongName");
+        verifyException(e, "XmlRoot");
+    }
+
+    // Empty element should also be validated
+    @Test
+    public void testMismatchedEmptyElement() throws Exception
+    {
+        assertThrows(DatabindException.class, () ->
+            ENFORCING_MAPPER.readValue("<Wrong/>", Root.class));
+    }
+
+    // Namespace URI verification: matching namespace should pass
+    @Test
+    public void testMatchingNamespaceSucceeds() throws Exception
+    {
+        NamespacedRoot root = ENFORCING_MAPPER.readValue(
+                "<ns:NsRoot xmlns:ns=\"http://example.com/test\"><ns:value>42</ns:value></ns:NsRoot>",
+                NamespacedRoot.class);
+        assertEquals(42, root.value);
+    }
+
+    // Namespace URI verification: wrong namespace should fail
+    @Test
+    public void testMismatchedNamespaceFails() throws Exception
+    {
+        DatabindException e = assertThrows(DatabindException.class, () ->
+            ENFORCING_MAPPER.readValue(
+                    "<ns:NsRoot xmlns:ns=\"http://example.com/wrong\"><ns:value>42</ns:value></ns:NsRoot>",
+                    NamespacedRoot.class));
+        verifyException(e, "Root namespace");
+        verifyException(e, "http://example.com/wrong");
+        verifyException(e, "http://example.com/test");
+    }
+
+    // No namespace in XML when one is expected should fail
+    @Test
+    public void testMissingNamespaceFails() throws Exception
+    {
+        DatabindException e = assertThrows(DatabindException.class, () ->
+            ENFORCING_MAPPER.readValue(
+                    "<NsRoot><value>42</value></NsRoot>",
+                    NamespacedRoot.class));
+        verifyException(e, "Root namespace");
+    }
+
+    // Unexpected namespace in XML when none is expected should fail
+    @Test
+    public void testUnexpectedNamespaceFails() throws Exception
+    {
+        DatabindException e = assertThrows(DatabindException.class, () ->
+            ENFORCING_MAPPER.readValue(
+                    "<ns:Root xmlns:ns=\"http://example.com/unexpected\"><ns:value>42</ns:value></ns:Root>",
+                    Root.class));
+        verifyException(e, "Root namespace");
+    }
+
+    // No namespace expected, none present should pass
+    @Test
+    public void testNoNamespaceExpectedNonePresentSucceeds() throws Exception
+    {
+        Root root = ENFORCING_MAPPER.readValue(
+                "<Root><value>42</value></Root>", Root.class);
+        assertEquals(42, root.value);
+    }
+}