Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 11 additions & 8 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -100,20 +100,23 @@
<dependencyManagement>
<dependencies>
<!--
Pin json-smart to 2.4.8. The 17.104 framework line pulls json-path 2.9.0 -> json-smart
Pin json-smart to 2.5.2. The 17.104 framework line pulls json-path 2.9.0 -> json-smart
2.4.9 transitively (compile scope in listing-event-processor, test scope elsewhere via
RestPoller). json-smart 2.4.9 added an over-aggressive "Malicious payload, having non
natural depths" guard that wrongly rejects large-but-legitimate JSON (~64KB+), throwing
InvalidJsonException. This breaks any JsonPath evaluation over a >64KB document — e.g.
RestPoller). json-smart 2.4.9 has a regression in its depth guard: the nesting counter
is not decremented correctly, so the hardcoded MAX_DEPTH=400 effectively caps the total
number of objects/arrays in a document rather than actual nesting depth. Legitimate
large payloads (~64KB+) then fail with "Malicious payload, having non natural depths"
(InvalidJsonException), breaking any JsonPath evaluation over a big document — e.g.
RangeSearchQueryForCourtCalendarIT, whose court-centre verify response exceeds 64KB once
it holds 5 hearings — and is a latent production risk in the event processor. 2.4.8 has
no such guard and is compatible with json-path 2.9.0 (verified). Revisit when a fixed
json-smart (2.5.2+) is available.
it holds 5 hearings — and a latent production risk in the event processor. 2.5.x fixes
the counter (correct depth accounting) while keeping the guard. 2.5.2 verified against
the failing payload and compatible with json-path 2.9.0.
https://github.com/aws-solutions/distributed-load-testing-on-aws/issues/146
-->
<dependency>
<groupId>net.minidev</groupId>
<artifactId>json-smart</artifactId>
<version>2.4.8</version>
<version>2.5.2</version>
</dependency>
<dependency>
<groupId>uk.gov.justice.services</groupId>
Expand Down
Loading