Skip to content

Jackson Work in Progress

Tatu Saloranta edited this page Nov 8, 2018 · 2080 revisions

Jackson WIP

This page is a "living document" of on-going work, mostly by @cowtowncoder (Tatu), although other committers are welcome to update it as well.

Contents are divided in 3 sections, of actionable (*) things:

  1. Urgent things -- security problems, correctness (corruption), reliability (threading/concurrency)
  2. Simple things -- low(er) hanging fruits that are likely easily fixable but also important (i.e. non-trivial)
  3. Important -- things that important strategically, or highly "voted", but that are more involved to fix/implement.

as well as one "Recently Completed" addendum.

(*) actionable meaning, in general, that progress is only/mostly limited by time available and not by inherent difficulty, or lack of design or ideas of how to tackle the need.

Last updates

29-Oct-2018, tatu: Create the initial version

Urgent things

DoS vectors via BigDecimal, BigInteger

Group of issues related to possible Denial-of-Service attacks, making use of surprisingly poor performance characteristics of coercing from BigInteger into long, and thereby also BigDecimal (as it is based on 2 BigIntegers). Mostly implemented by 29-Oct-2018, to be included in 2.9.8

New CVEs for Polymorphic Deserialization gadgets

  • On 29-Oct-2018, 3 more gadgets were reported. More information will sent to jackson-dev-infosec list; fixes for 2.9.8 and 2.8.11.3

Jackson 3.0: test failures for jackson-modules-base?

Jackson 2.10

Jackson 2.9

Simple Things

Important Things

  • Jackson 3.0:
    • Finish partial rewrite of JsonFormat.Shape handling to support ALL changes (POJO to/from non-POJO), for types AND properties

Recently completed

Jackson 3.0

Clone this wiki locally