A serialization error causes an assignment to be sent abnormally

[FQXCS]

This is the parameter of the request pass

This is the background received parameter，The id in the child attribute was incorrectly assigned to the main attribute，Of course, there is also a parameter passing problem. The type in constructionBasisList should be passed to String, but was incorrectly passed to List

There is a processing done to prevent xss
jackson V2.11.4

[cowtowncoder]

First off: version 2.11.4 is ancient: please try a newer version (2.17.2 f.ex).
Second: what is usually needed is a full, stand-alone reproduction, not code snippets.
Third: screenshots best used sparingly, they are pretty hard to follow.

[FQXCS]

This is a minimal sample:

@Slf4j
public class JacksonXssClean extends JsonDeserializer<String> {
	@Override
	public String deserialize(JsonParser p, DeserializationContext ctxt) {
		try {
			return p.getValueAsString();
		}catch (Exception e){
			e.printStackTrace();
		}
		return null;
	}
}

@RequiredArgsConstructor
@Configuration
public class EfpxXssAutoConfiguration implements WebMvcConfigurer {
	@Bean
	public Jackson2ObjectMapperBuilderCustomizer xssJacksonCustomizer() {
		return builder -> builder.deserializerByType(String.class, new JacksonXssClean());
	}
}

@Data
public class MasterVo {
    private String id;
    private String masterName;
    private List<SlaveVo> slaveVoList;
}

@Data
public class SlaveVo {
    private String id;
    private String name;
    private String type;
    private String typeStr;
}

@RestController
@RequiredArgsConstructor
@RequestMapping("/test")
public class TestController {
    @PostMapping("/test01")
    public String temporaryStorage(@RequestBody MasterVo vo) {
        return "";
    }
}

This is the request parameter:

{
    "id": "8d4c1e7ab5184705a056389a755c4bce",
    "masterName": "test",
    "slaveVoList": [
        {
            "name": "slaveVoList01",
            "type": [
                "01"
            ],
            "typeStr": "type01",
            "id": "66ce1086d562476a8331a6065ed5bb50"
        },
        {
            "businessId": "8d4c1e7ab5184705a056389a755c4bce",
            "name": "slaveVoList02",
            "type": [
                "01"
            ],
            "typeStr": "type01",
            "id": "6a98ff39a92c4b6a93a3cb93614e5810"
        }
    ]
}

I upgraded the version to: spring-boot V3.2.9、jackson V2.15.4，
And I forced jackson to version 2.17.2. The problem still persists.

com.fasterxml.jackson.databind.deser.BeanDeserializer#deserializeFromObject
I found out after tracing the code that I assigned type to slaveVoList during the recursive assignment process that somehow popped out, causing slavevolist.id to be assigned to MasterVo.id

[cowtowncoder]

Ok so this is not a stand-alone reproduction as it relies on 2 framework (Lombok, I think and ... Spring?) but gives better idea of what is happening.

While it's not clear how custom deserializer (JacksonXssClean) is registered, I guess it is registered for String values, but it also does not verify that the current token is what it expect -- it just assumes it'd be JsonToken.VALUE_STRING. Deserializer should check that because that is probably the bug here: you can not deserialize String from JSON Array like that:

            "type": [
                "01"
            ],

and type is declared as String. Calling p.getValueAsString(); on JSON Array value returns either null or String "[" (I forget what exactly), but it will leave 2 other tokens (String "01", closing ] marker) in stream.
And that will break handling.

I think this is what is going wrong there. Hope this helps.

[FQXCS]

Thanks for your answer, I conducted the "try... catch..." , even if the "type" parsing fails, the value is returned as null and the correct value is assigned (MasterVo.slavevList[n].type = null), rather than "MasterVo.slavevList[0].id" incorrectly assigned to "MasterVo.id".

I offer a minimization project:
springboot3.zip

[cowtowncoder]

I pointed out the problem and do not have to dig in to packaged project.
Best of luck figuring out the issue based on what I pointed out -- your deserializer won't work on JSON Array values like one included in the sample.