InvalidDefinitionException "No fallback setter/field defined for creator property" when deserializing JSON with duplicated property to single-property Record

[sseelmann]

Search before asking

• I searched in the issues and found nothing similar.

Describe the bug

Deserialzing a JSON with a duplicated property fails for a Java Record with a single property.

Version Information

2.17.2

Reproduction

import org.junit.jupiter.api.Test;

import com.fasterxml.jackson.databind.ObjectMapper;

class JacksonDeserializationTest {

	record MyRecord(String first) {
	}

	@Test
	void test() throws Exception {
		ObjectMapper mapper = new ObjectMapper();

		String json = """
				{
					"first": "[email protected]",
					"first": "[email protected]"
				}
				""";
		var value = mapper.readValue(json, MyRecord.class);
		System.out.println(value);
	}

}

Produces the following error:

com.fasterxml.jackson.databind.exc.InvalidDefinitionException: No fallback setter/field defined for creator property 'first' (through reference chain: JacksonDeserializationTest$MyRecord["first"])
	at com.fasterxml.jackson.databind.exc.InvalidDefinitionException.from(InvalidDefinitionException.java:67)
	at com.fasterxml.jackson.databind.deser.CreatorProperty._reportMissingSetter(CreatorProperty.java:354)
	at com.fasterxml.jackson.databind.deser.CreatorProperty._verifySetter(CreatorProperty.java:341)
	at com.fasterxml.jackson.databind.deser.CreatorProperty.deserializeAndSet(CreatorProperty.java:270)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:273)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeUsingPropertyBased(BeanDeserializer.java:470)
	at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromObjectUsingNonDefault(BeanDeserializerBase.java:1493)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:348)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:185)
	at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:342)
	at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4905)
	at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3848)
	at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3816)
	at JacksonDeserializationTest.test(JacksonDeserializationTest.java:20)
	at java.base/java.lang.reflect.Method.invoke(Method.java:580)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)

Expected behavior

Deserialization works, or a proper exception describing the problem (e.g. "duplicate property") is thrown.

Additional context

Workaround: Add a 2nd dummy property to the Java Record

Ofc the duplicate property in the JSON is not the default. It was detected during a penetration test when testing for parameter pollution vulnerabilities.

[cowtowncoder]

Thank you for reporting this issue. I think I know why it occurs, technically speaking, but not sure how to address it.

But in the meantime... to fail on duplicate property values, generally, it's enough to enable

StreamReadFeature.STRICT_DUPLICATE_DETECTION

on JsonFactory used to construct ObjectMapper / JsonMapper.

[yihtserns]

Quoting @cowtowncoder from FasterXML/jackson-core#60:

...JSON specification does not make duplicate Object values strictly illegal (behavior is undefined I think)...

...checking for duplicates adds non-trivial amount of cost which for valid content is pure overhead...so...add a feature to let users request that duplicate detection is enabled...

[sseelmann]

Thanks for the suggestions, but I think I won't enable the STRICT_DUPLICATE_DETECTION feature because

• of the processing overhead and
• we use spring boot so the object mapper is "managed" by it, even thought it's probably configurable, but I'd prefer to use the default config