Skip to content

Jackson Work in Progress

Tatu Saloranta edited this page Oct 30, 2018 · 2080 revisions

Jackson WIP

This page is a "living document" of on-going work, mostly by @cowtowncoder (Tatu), although other committers are welcome to update it as well.

Contents are divided in 3 sections, of actionable (*) things:

  1. Urgent things -- security problems, correctness (corruption), reliability (threading/concurrency)
  2. Simple things -- low(er) hanging fruits that are likely easily fixable but also important (i.e. non-trivial)
  3. Important -- things that important strategically, or highly "voted", but that are more involved to fix/implement.

(*) actionable meaning, in general, that progress is only/mostly limited by time available and not by inherent difficulty, or lack of design or ideas of how to tackle the need.

Last updates

29-Oct-2018, tatu: Create the initial version

Urgent things

DoS vectors via BigDecimal, BigInteger

Group of issues related to possible Denial-of-Service attacks, making use of surprisingly poor performance characteristics of coercing from BigInteger into long, and thereby also BigDecimal (as it is based on 2 BigIntegers). Mostly implemented by 29-Oct-2018, to be included in 2.9.8

New CVEs for Polymorphic Deserialization gadgets

  • On 29-Oct-2018, 3 more gadgets were reported. More information will sent to jackson-dev-infosec list; fixes for 2.9.8 and 2.8.11.3

Simple Things

  • Jackson 3.0:
  • Jackson 2.10:
    • Change JsonGenerator.Feature.ESCAPE_NON_ASCII to be based on JsonWriteFeature.ESCAPE_NON_ASCII
      • Maybe implement
    • Add StreamReadFeature as alias for remaining non-deprecated JsonParser.Features (for 3.0 forward compat)
    • Add StreamWriteFeature as alias for remaining non-deprecated JsonGenerator.Features (for 3.0 forward compat)

Important Things

  • Jackson 3.0:
    • Test failures for jackson-modules-base?
    • Finish partial rewrite of JsonFormat.Shape handling to support ALL changes (POJO to/from non-POJO), for types AND properties

Clone this wiki locally