From bf33b97a713f8288976660c565f60f86b41871d4 Mon Sep 17 00:00:00 2001
From: Viacheslav Klimov <viacheslavklimov11@gmail.com>
Date: Fri, 17 Apr 2026 16:56:40 +0300
Subject: [PATCH 1/2] Ignore unknown properties when deserializing Redis cache
 entries

Prevents UnrecognizedPropertyException during rolling upgrades when a
newer node writes a cached entity with an added field and an older node
reads it back. The Redis-backed TbJsonRedisSerializer now uses
JacksonUtil.IGNORE_UNKNOWN_PROPERTIES_JSON_MAPPER instead of the strict
OBJECT_MAPPER used by JacksonUtil.fromBytes.
---
 .../server/cache/TbJsonRedisSerializer.java           | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/common/cache/src/main/java/org/thingsboard/server/cache/TbJsonRedisSerializer.java b/common/cache/src/main/java/org/thingsboard/server/cache/TbJsonRedisSerializer.java
index bf5fb7e448..3e8aef83a1 100644
--- a/common/cache/src/main/java/org/thingsboard/server/cache/TbJsonRedisSerializer.java
+++ b/common/cache/src/main/java/org/thingsboard/server/cache/TbJsonRedisSerializer.java
@@ -18,6 +18,8 @@ package org.thingsboard.server.cache;
 import org.springframework.data.redis.serializer.SerializationException;
 import org.thingsboard.common.util.JacksonUtil;
 
+import java.io.IOException;
+
 public class TbJsonRedisSerializer<K, V> implements TbRedisSerializer<K, V> {
 
     private final Class<V> clazz;
@@ -33,6 +35,13 @@ public class TbJsonRedisSerializer<K, V> implements TbRedisSerializer<K, V> {
 
     @Override
     public V deserialize(K key, byte[] bytes) throws SerializationException {
-        return JacksonUtil.fromBytes(bytes, clazz);
+        if (bytes == null) {
+            return null;
+        }
+        try {
+            return JacksonUtil.IGNORE_UNKNOWN_PROPERTIES_JSON_MAPPER.readValue(bytes, clazz);
+        } catch (IOException e) {
+            throw new SerializationException("Failed to deserialize cached value", e);
+        }
     }
 }

From 08e94a7f2a2e9faa586ae79e10ea18be968d58b6 Mon Sep 17 00:00:00 2001
From: Sergey Matvienko <smatvienko@thingsboard.io>
Date: Fri, 17 Apr 2026 16:36:23 +0200
Subject: [PATCH 2/2] Fix flaky TbRestApiCallNodeTest via
 SsrfProtectionValidator ResourceLock

TbRestApiCallNodeTest ran concurrently with SsrfSafeAddressResolverGroupTest,
which toggles the static SsrfProtectionValidator.enabled flag in its
setUp/tearDown. When the flag leaked into the REST test's async HTTP calls,
'localhost' was rejected by SSRF and extra tellFailure invocations broke the
Mockito verify count.

TbHttpClientTest and SsrfSafeAddressResolverGroupTest already declare
@ResourceLock("SsrfProtectionValidator"); apply the same lock to
TbRestApiCallNodeTest so all three SSRF-sensitive tests serialize.

Fixes #15453
---
 .../org/thingsboard/rule/engine/rest/TbRestApiCallNodeTest.java | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rule-engine/rule-engine-components/src/test/java/org/thingsboard/rule/engine/rest/TbRestApiCallNodeTest.java b/rule-engine/rule-engine-components/src/test/java/org/thingsboard/rule/engine/rest/TbRestApiCallNodeTest.java
index 493c5abf8c..cc2daa2421 100644
--- a/rule-engine/rule-engine-components/src/test/java/org/thingsboard/rule/engine/rest/TbRestApiCallNodeTest.java
+++ b/rule-engine/rule-engine-components/src/test/java/org/thingsboard/rule/engine/rest/TbRestApiCallNodeTest.java
@@ -27,6 +27,7 @@ import org.apache.http.protocol.HttpRequestHandler;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
+import org.junit.jupiter.api.parallel.ResourceLock;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.ValueSource;
@@ -70,6 +71,7 @@ import static org.mockito.Mockito.timeout;
 import static org.mockito.Mockito.verify;
 
 @ExtendWith(MockitoExtension.class)
+@ResourceLock("SsrfProtectionValidator") // to avoid race conditions when modifying SsrfProtectionValidator's static configuration
 public class TbRestApiCallNodeTest extends AbstractRuleNodeUpgradeTest {
 
     static final long TIMEOUT = TimeUnit.SECONDS.toMillis(30);