diff --git a/dropwizard-bom/pom.xml b/dropwizard-bom/pom.xml
index 453475a34ab..8adfe456610 100644
--- a/dropwizard-bom/pom.xml
+++ b/dropwizard-bom/pom.xml
@@ -21,7 +21,7 @@
${project.version}
24.1.1-jre
2.25.1
- 2.9.6
+ 2.9.8
9.4.11.v20180605
3.0.0.v201112011016
4.0.2
diff --git a/dropwizard-configuration/src/test/java/io/dropwizard/configuration/YamlConfigurationFactoryTest.java b/dropwizard-configuration/src/test/java/io/dropwizard/configuration/YamlConfigurationFactoryTest.java
index e86770776c5..99334325ca6 100644
--- a/dropwizard-configuration/src/test/java/io/dropwizard/configuration/YamlConfigurationFactoryTest.java
+++ b/dropwizard-configuration/src/test/java/io/dropwizard/configuration/YamlConfigurationFactoryTest.java
@@ -30,12 +30,6 @@ public void printsDetailedInformationOnMalformedContent() throws Exception {
.hasMessageContaining(String.format(
"%s has an error:%n" +
" * Malformed YAML at line: 3, column: 22; while parsing a flow sequence\n" +
- " in 'reader', line 2, column 7:\n" +
- " type: [ coder,wizard\n" +
- " ^\n" +
- "expected ',' or ']', but got StreamEnd\n" +
- " in 'reader', line 2, column 21:\n" +
- " wizard\n" +
- " ^", malformedAdvancedFile.getName()));
+ " in 'reader'", malformedAdvancedFile.getName()));
}
}
diff --git a/dropwizard-jackson/src/main/java/io/dropwizard/jackson/Jackson.java b/dropwizard-jackson/src/main/java/io/dropwizard/jackson/Jackson.java
index e971834eb4d..7373761ecfd 100644
--- a/dropwizard-jackson/src/main/java/io/dropwizard/jackson/Jackson.java
+++ b/dropwizard-jackson/src/main/java/io/dropwizard/jackson/Jackson.java
@@ -64,7 +64,6 @@ private static ObjectMapper configure(ObjectMapper mapper) {
mapper.setPropertyNamingStrategy(new AnnotationSensitivePropertyNamingStrategy());
mapper.setSubtypeResolver(new DiscoverableSubtypeResolver());
- mapper.registerModule(new SafeJavaTimeModule());
return mapper;
}
}
diff --git a/dropwizard-jackson/src/main/java/io/dropwizard/jackson/SafeDurationDeserializer.java b/dropwizard-jackson/src/main/java/io/dropwizard/jackson/SafeDurationDeserializer.java
deleted file mode 100644
index 27f35190a13..00000000000
--- a/dropwizard-jackson/src/main/java/io/dropwizard/jackson/SafeDurationDeserializer.java
+++ /dev/null
@@ -1,39 +0,0 @@
-package io.dropwizard.jackson;
-
-import com.fasterxml.jackson.core.JsonParser;
-import com.fasterxml.jackson.core.JsonTokenId;
-import com.fasterxml.jackson.databind.DeserializationContext;
-import com.fasterxml.jackson.databind.deser.std.StdScalarDeserializer;
-import com.fasterxml.jackson.datatype.jsr310.deser.DurationDeserializer;
-
-import javax.annotation.Nullable;
-import java.io.IOException;
-import java.math.BigDecimal;
-import java.time.Duration;
-
-/**
- * Safe deserializer for `Instant` that rejects big decimal values out of the range of Long.
- * They take forever to deserialize and can be used in a DoS attack.
- */
-class SafeDurationDeserializer extends StdScalarDeserializer {
-
- private static final BigDecimal MAX_DURATION = new BigDecimal(Long.MAX_VALUE);
- private static final BigDecimal MIN_DURATION = new BigDecimal(Long.MIN_VALUE);
-
- SafeDurationDeserializer() {
- super(Duration.class);
- }
-
- @Override
- @Nullable
- public Duration deserialize(JsonParser parser, DeserializationContext context) throws IOException {
- if (parser.getCurrentTokenId() == JsonTokenId.ID_NUMBER_FLOAT) {
- BigDecimal value = parser.getDecimalValue();
- // new BigDecimal("1e1000000000").longValue() takes forever to complete
- if (value.compareTo(MAX_DURATION) > 0 || value.compareTo(MIN_DURATION) < 0) {
- throw new IllegalArgumentException("Value is out of range of Duration");
- }
- }
- return DurationDeserializer.INSTANCE.deserialize(parser, context);
- }
-}
diff --git a/dropwizard-jackson/src/main/java/io/dropwizard/jackson/SafeInstantDeserializer.java b/dropwizard-jackson/src/main/java/io/dropwizard/jackson/SafeInstantDeserializer.java
deleted file mode 100644
index db358102303..00000000000
--- a/dropwizard-jackson/src/main/java/io/dropwizard/jackson/SafeInstantDeserializer.java
+++ /dev/null
@@ -1,43 +0,0 @@
-package io.dropwizard.jackson;
-
-import com.fasterxml.jackson.databind.DeserializationContext;
-import com.fasterxml.jackson.datatype.jsr310.deser.InstantDeserializer;
-
-import javax.annotation.Nullable;
-import java.math.BigDecimal;
-import java.time.Instant;
-import java.time.ZoneId;
-import java.time.format.DateTimeFormatter;
-import java.time.temporal.Temporal;
-import java.time.temporal.TemporalAccessor;
-import java.util.function.BiFunction;
-import java.util.function.Function;
-
-/**
- * Safe deserializer for `Instant` that rejects big decimal values that take forever to deserialize
- * and can be used in a DoS attack.
- */
-class SafeInstantDeserializer extends InstantDeserializer {
-
- private static final BigDecimal MAX_INSTANT = new BigDecimal(Instant.MAX.getEpochSecond() + 1);
- private static final BigDecimal MIN_INSTANT = new BigDecimal(Instant.MIN.getEpochSecond());
-
- SafeInstantDeserializer(Class supportedType,
- DateTimeFormatter formatter,
- Function parsedToValue,
- Function fromMilliseconds,
- Function fromNanoseconds,
- @Nullable BiFunction adjust,
- boolean replaceZeroOffsetAsZ) {
- super(supportedType, formatter, parsedToValue, fromMilliseconds, fromNanoseconds, adjust, replaceZeroOffsetAsZ);
- }
-
- @Override
- protected T _fromDecimal(DeserializationContext context, BigDecimal value) {
- // new BigDecimal("1e1000000000").longValue() takes forever to complete
- if (value.compareTo(MAX_INSTANT) >= 0 || value.compareTo(MIN_INSTANT) < 0) {
- throw new IllegalArgumentException("Value is out of range of Instant");
- }
- return super._fromDecimal(context, value);
- }
-}
diff --git a/dropwizard-jackson/src/main/java/io/dropwizard/jackson/SafeJavaTimeModule.java b/dropwizard-jackson/src/main/java/io/dropwizard/jackson/SafeJavaTimeModule.java
deleted file mode 100644
index d6fda7e006e..00000000000
--- a/dropwizard-jackson/src/main/java/io/dropwizard/jackson/SafeJavaTimeModule.java
+++ /dev/null
@@ -1,53 +0,0 @@
-package io.dropwizard.jackson;
-
-import com.fasterxml.jackson.databind.module.SimpleModule;
-import com.fasterxml.jackson.datatype.jsr310.deser.InstantDeserializer;
-import com.fasterxml.jackson.module.paramnames.PackageVersion;
-
-import java.time.Duration;
-import java.time.Instant;
-import java.time.OffsetDateTime;
-import java.time.ZonedDateTime;
-import java.time.format.DateTimeFormatter;
-
-/**
- * Module that provides safe deserializers for Instant and Duration that reject big decimal values
- * outside of their range which are extremely CPU-heavy to parse.
- */
-class SafeJavaTimeModule extends SimpleModule {
-
- private static final InstantDeserializer INSTANT = new SafeInstantDeserializer<>(
- Instant.class, DateTimeFormatter.ISO_INSTANT,
- Instant::from,
- a -> Instant.ofEpochMilli(a.value),
- a -> Instant.ofEpochSecond(a.integer, a.fraction),
- null,
- true
- );
-
- private static final InstantDeserializer OFFSET_DATE_TIME = new SafeInstantDeserializer<>(
- OffsetDateTime.class, DateTimeFormatter.ISO_OFFSET_DATE_TIME,
- OffsetDateTime::from,
- a -> OffsetDateTime.ofInstant(Instant.ofEpochMilli(a.value), a.zoneId),
- a -> OffsetDateTime.ofInstant(Instant.ofEpochSecond(a.integer, a.fraction), a.zoneId),
- (d, z) -> d.withOffsetSameInstant(z.getRules().getOffset(d.toLocalDateTime())),
- true
- );
-
- private static final InstantDeserializer ZONED_DATE_TIME = new SafeInstantDeserializer<>(
- ZonedDateTime.class, DateTimeFormatter.ISO_ZONED_DATE_TIME,
- ZonedDateTime::from,
- a -> ZonedDateTime.ofInstant(Instant.ofEpochMilli(a.value), a.zoneId),
- a -> ZonedDateTime.ofInstant(Instant.ofEpochSecond(a.integer, a.fraction), a.zoneId),
- ZonedDateTime::withZoneSameInstant,
- false
- );
-
- SafeJavaTimeModule() {
- super(PackageVersion.VERSION);
- addDeserializer(Instant.class, INSTANT);
- addDeserializer(OffsetDateTime.class, OFFSET_DATE_TIME);
- addDeserializer(ZonedDateTime.class, ZONED_DATE_TIME);
- addDeserializer(Duration.class, new SafeDurationDeserializer());
- }
-}
diff --git a/dropwizard-jackson/src/test/java/io/dropwizard/jackson/JacksonDeserializationOfBigNumbersToDurationTest.java b/dropwizard-jackson/src/test/java/io/dropwizard/jackson/JacksonDeserializationOfBigNumbersToDurationTest.java
index 90d493088cc..3fc0df45a85 100644
--- a/dropwizard-jackson/src/test/java/io/dropwizard/jackson/JacksonDeserializationOfBigNumbersToDurationTest.java
+++ b/dropwizard-jackson/src/test/java/io/dropwizard/jackson/JacksonDeserializationOfBigNumbersToDurationTest.java
@@ -16,10 +16,9 @@ public class JacksonDeserializationOfBigNumbersToDurationTest {
private final ObjectMapper objectMapper = Jackson.newObjectMapper();
@Test(timeout = 5000)
- public void testDoesNotAttemptToDeserializeExtremelyBigNumbers() {
- assertThatExceptionOfType(JsonMappingException.class).isThrownBy(
- () -> objectMapper.readValue("{\"id\": 42, \"duration\": 1e1000000000}", Task.class))
- .withMessageStartingWith("Value is out of range of Duration");
+ public void testDoesNotAttemptToDeserializeExtremelyBigNumbers() throws Exception {
+ Task task = objectMapper.readValue("{\"id\": 42, \"duration\": 1e1000000000}", Task.class);
+ assertThat(task.getDuration()).isEqualTo(Duration.ofSeconds(0));
}
@Test
diff --git a/dropwizard-jackson/src/test/java/io/dropwizard/jackson/JacksonDeserializationOfBigNumbersToInstantTest.java b/dropwizard-jackson/src/test/java/io/dropwizard/jackson/JacksonDeserializationOfBigNumbersToInstantTest.java
index 49ea8ff4083..fa59b9d7f0d 100644
--- a/dropwizard-jackson/src/test/java/io/dropwizard/jackson/JacksonDeserializationOfBigNumbersToInstantTest.java
+++ b/dropwizard-jackson/src/test/java/io/dropwizard/jackson/JacksonDeserializationOfBigNumbersToInstantTest.java
@@ -16,10 +16,9 @@ public class JacksonDeserializationOfBigNumbersToInstantTest {
private final ObjectMapper objectMapper = Jackson.newObjectMapper();
@Test(timeout = 5000)
- public void testDoesNotAttemptToDeserializeExtremelBigNumbers() {
- assertThatExceptionOfType(JsonMappingException.class).isThrownBy(
- () -> objectMapper.readValue("{\"id\": 42, \"createdAt\": 1e1000000000}", Event.class))
- .withMessageStartingWith("Value is out of range of Instant");
+ public void testDoesNotAttemptToDeserializeExtremelBigNumbers() throws Exception {
+ Event event = objectMapper.readValue("{\"id\": 42, \"createdAt\": 1e1000000000}", Event.class);
+ assertThat(event.getCreatedAt()).isEqualTo(Instant.ofEpochMilli(0));
}
@Test