[DRAFT] deep nesting check #576
Conversation
|
closing as you can use woodstox to do the nesting check |
|
Yeah this is tricky. On one hand I agree, use of native facilities is generally better way. At the same time, shared configurability and checking has its benefits; including but not limited to Jackson-specific exceptions, context. To further complicate things, theoretically nesting levels between actual XML and logical "converted" JSON events can have slight discrepancy too. So for now I think let's use Jackson's new checks and not change Woodstox defaults. We can revisit this in future as necessary. |
|
Maybe worth having the 2 ways to check for depth (woodstox and jackson-specific). I'm still going to treat this as a lower priority than adding nesting check for Smile and CBOR formats. Possibly, other dataformats too. There is already a StreamReadConstraints setting that is not implemented as Jackson-specific - that you need to use Woodstox config - #571 StreamReadConstraints number len check is applied though |
|
Ah. Yes... String length checks would be much more efficient to apply at Woodstox level. |
relies on FasterXML/jackson-core#943
It may be better to doc that StreamReadConstraints is ignored for jackson-dataformat-xml and that users are better off using WstxInputFactory and creating XmlMapper using an instance of WstxInputFactory.
WstxInputFactory.getConfig() gives you a ReaderConfig which already has a default max element depth of 1000.
https://fasterxml.github.io/woodstox/javadoc/6.0/com/ctc/wstx/api/ReaderConfig.html