Fix #991: change default setting for `StreamReadFeature.INCLUDE_SOURC…

…E_IN_LOCATION` to false (#1038)

release-notes/VERSION-2.x

@@ -16,6 +16,9 @@ a pure JSON library.
 
 2.16.0 (not yet released)
 
+#991: Change `StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` default to `false`
+  in Jackson 2.16
+ (suggested by @quinlam)
 #1007: Improve error message for `StreamReadConstraints` violations
 #1015: `JsonFactory` implementations should respect `CANONICALIZE_FIELD_NAMES`
  (contributed by Carter K)

src/main/java/com/fasterxml/jackson/core/JsonParser.java

@@ -329,13 +329,15 @@ public enum Feature {
           * printed, and not the whole contents. Further, many source reference types can not
           * necessarily access contents (like streams), so only type is indicated, not contents.
           *<p>
-          * Feature is enabled by default, meaning that "source reference" information is passed
-          * and some or all of the source content may be included in {@link JsonLocation} information
-          * constructed either when requested explicitly, or when needed for an exception.
+          * Since 2.16 feature is <b>disabled</b> by default (before 2.16 it was enabled),
+          * meaning that "source reference" information is NOT passed; this for security
+          * reasons (so by default no information is leaked; see
+          * <a href="https://github.com/FasterXML/jackson-core/issues/991">core#991</a>
+          * for more)
           *
-          * @since 2.9
+          * @since 2.9 (but different default since 2.16)
           */
-         INCLUDE_SOURCE_IN_LOCATION(true),
+         INCLUDE_SOURCE_IN_LOCATION(false),
 
          /**
           * Feature that determines whether we use the built-in {@link Double#parseDouble(String)} code to parse

src/test/java/com/fasterxml/jackson/core/TestExceptions.java

@@ -7,7 +7,7 @@
 
 public class TestExceptions extends BaseTest
 {
-    private final JsonFactory JSON_F = new JsonFactory();
+    private final JsonFactory JSON_F = newStreamFactory();
 
     // For [core#10]
     public void testOriginalMesssage()
@@ -123,26 +123,30 @@ private void _testEofExceptions(int mode) throws Exception
 
     public void testContentSnippetWithOffset() throws Exception
     {
+        final JsonFactory jsonF = this.streamFactoryBuilder()
+                .enable(StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION)
+                .build();
+
         JsonParser p;
         final String json = a2q("{'k1':'v1'}\n[broken]\n");
         final byte[] jsonB = utf8Bytes(json);
         final int lfIndex = json.indexOf("\n");
         final int start = lfIndex+1;
         final int len = json.length() - start;
 
-        p = JSON_F.createParser(jsonB, start, len);
+        p = jsonF.createParser(jsonB, start, len);
         // for byte-based, will be after character that follows token:
         // (and alas cannot be easily fixed)
         _testContentSnippetWithOffset(p, 9, "(byte[])\"[broken]\n\"");
         p.close();
 
         final char[] jsonC = json.toCharArray();
-        p = JSON_F.createParser(jsonC, start, len);
+        p = jsonF.createParser(jsonC, start, len);
         // for char-based we get true offset at end of token
         _testContentSnippetWithOffset(p, 8, "(char[])\"[broken]\n\"");
         p.close();
 
-        p = JSON_F.createParser(json.substring(start));
+        p = jsonF.createParser(json.substring(start));
         // for char-based we get true offset at end of token
         _testContentSnippetWithOffset(p, 8, "(String)\"[broken]\n\"");
         p.close();
@@ -161,7 +165,6 @@ private void _testContentSnippetWithOffset(final JsonParser p,
             assertEquals(1, loc.getLineNr());
             assertEquals(expColumn, loc.getColumnNr());
             final String srcDesc = loc.sourceDescription();
-
             assertEquals(expContent, srcDesc);
         }
     }