Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JsonTokenizer.close() recycles its buffer for each call to close() which may case data corruption in a multi-threaded environment #77

Closed
niks opened this issue Feb 17, 2023 · 1 comment · Fixed by #97

Comments

@niks
Copy link

niks commented Feb 17, 2023

The API specification of close() specifies that

If the stream is already closed then invoking this method has no effect.

But JsonTokenizer.close() violates this by recycling its buffer for each call to close(). This results in the same buffer being provided by the BufferPool to multiple threads that operate on the same buffer causing data corruption.

This is the same issue that was already fixed for the JsonGenerator. See commit 06af407

lukasj added a commit to lukasj/parsson that referenced this issue Jul 12, 2023
…ll to close()

Signed-off-by: Lukas Jungmann <lukas.jungmann@oracle.com>
lukasj added a commit to lukasj/parsson that referenced this issue Jul 12, 2023
…call to close()

Signed-off-by: Lukas Jungmann <lukas.jungmann@oracle.com>
lukasj added a commit that referenced this issue Jul 12, 2023
Signed-off-by: Lukas Jungmann <lukas.jungmann@oracle.com>
@niks
Copy link
Author

niks commented Jul 18, 2023

Thanks, Lukas, for fixing the issue!

benkard pushed a commit to benkard/quarkus-googlecloud-jsonlogging that referenced this issue Sep 24, 2023
…oud-jsonlogging!18)

This MR contains the following updates:

| Package | Type | Update | Change |
|---------|------|--------|--------|
| [io.quarkus:quarkus-extension-processor](https://github.com/quarkusio/quarkus) |  | minor | `3.3.2` -\> `3.4.1` |
| [io.quarkus:quarkus-extension-maven-plugin](https://github.com/quarkusio/quarkus) | build | minor | `3.3.2` -\> `3.4.1` |
| [io.quarkus:quarkus-bom](https://github.com/quarkusio/quarkus) | import | minor | `3.3.2` -\> `3.4.1` |
| [io.quarkus:quarkus-maven-plugin](https://github.com/quarkusio/quarkus) | build | minor | `3.3.2` -\> `3.4.1` |
| [org.eclipse.parsson:parsson](https://github.com/eclipse-ee4j/parsson) | compile | patch | `1.1.2` -\> `1.1.4` |
| [io.smallrye.common:smallrye-common-constraint](http://smallrye.io) ([source](https://github.com/smallrye/smallrye-common)) | compile | patch | `2.1.0` -\> `2.1.2` |

---

### Release Notes

<details>
<summary>quarkusio/quarkus</summary>

### [`v3.4.1`](https://github.com/quarkusio/quarkus/releases/tag/3.4.1)

[Compare Source](quarkusio/quarkus@3.4.0...3.4.1)

##### Major changes

- [\#​35732](quarkusio/quarkus#35732) - Rework how to enable/activate Flyway

##### Complete changelog

- [\#​36000](quarkusio/quarkus#36000) - Bump org.eclipse.jgit:org.eclipse.jgit from 6.6.0.202305301015-r to 6.6.1.202309021850-r in /docs
- [\#​35999](quarkusio/quarkus#35999) - Bump org.eclipse.jgit:org.eclipse.jgit from 6.6.0.202305301015-r to 6.6.1.202309021850-r in /bom/application
- [\#​35990](quarkusio/quarkus#35990) - Don't ignore empty SSE events in client
- [\#​35987](quarkusio/quarkus#35987) - Improve the way HTTP authorizer logs exceptions
- [\#​35981](quarkusio/quarkus#35981) - Fix link to AWS Lambda SnapStart in documentation
- [\#​35979](quarkusio/quarkus#35979) - Add `@ConfigDocEnumValue` & `@ConfigDocDefault` to writing-extensions guide
- [\#​35977](quarkusio/quarkus#35977) - Recompute cached value when the Redis connection fails
- [\#​35975](quarkusio/quarkus#35975) - OIDC: AuthenticationRedirectionException after successful login
- [\#​35968](quarkusio/quarkus#35968) - Warn when wrong token proxy is accessed
- [\#​35966](quarkusio/quarkus#35966) - SSE: Reactive SseEventSource client doesn't consume empty events
- [\#​35964](quarkusio/quarkus#35964) - OIDC: NPE when accessing IdToken when Bearer access token is sent
- [\#​35959](quarkusio/quarkus#35959) - Log invalid CORS origin and method
- [\#​35958](quarkusio/quarkus#35958) - \[GraalVM 24.0\] Hibernate ORM elasticsearch native integration tests fail with return type mismatch
- [\#​35956](quarkusio/quarkus#35956) - Fix return type of hibernate-search substitution
- [\#​35949](quarkusio/quarkus#35949) - Properly initialize reactive Pool beans
- [\#​35938](quarkusio/quarkus#35938) - Bump org.apache.commons:commons-compress from 1.23.0 to 1.24.0 in /bom/application
- [\#​35937](quarkusio/quarkus#35937) - Bump org.apache.commons:commons-compress from 1.23.0 to 1.24.0 in /independent-projects/tools
- [\#​35926](quarkusio/quarkus#35926) - Fix use of multiple `@ClientXXX` annotations in REST Client Reactive
- [\#​35925](quarkusio/quarkus#35925) - Add a property to bypass cache mechanism in case of Redis failure
- [\#​35919](quarkusio/quarkus#35919) - Honor OIDC logout requests when ID token has expired
- [\#​35914](quarkusio/quarkus#35914) - Prevent recording configuration coming from Gradle
- [\#​35900](quarkusio/quarkus#35900) - Fix RESTEasy CDI dependency issue
- [\#​35899](quarkusio/quarkus#35899) - Add note about unsupported `@Lock` in Spring Data JPA
- [\#​35895](quarkusio/quarkus#35895) - Update liquibase to 4.23.2, liquibase-mongodb to 4.23.1
- [\#​35889](quarkusio/quarkus#35889) - UriInfo can not be injected in presence of quarkus-rest-client dependency
- [\#​35886](quarkusio/quarkus#35886) - OTel Scope.close() warning improvement
- [\#​35885](quarkusio/quarkus#35885) - Applying the QE feedback for the Logging guide
- [\#​35884](quarkusio/quarkus#35884) - Application fails to start when eactive restclient uses both ClientExceptionMapper and ClientObjectMapper
- [\#​35883](quarkusio/quarkus#35883) - Bring back the HTTP console commands
- [\#​35879](quarkusio/quarkus#35879) - Quarkus 3.4.0.CR1 does not have HTTP commands in dev mode
- [\#​35858](quarkusio/quarkus#35858) - NullPointerException when entity primary key has the type `byte[]`
- [\#​35777](quarkusio/quarkus#35777) - Add a note about HR not being a replacement for ORM
- [\#​35732](quarkusio/quarkus#35732) - Rework how to enable/activate Flyway
- [\#​35728](quarkusio/quarkus#35728) - OIDC logout not working for virtual callback paths, if id_token is expired but session cookie is present
- [\#​35690](quarkusio/quarkus#35690) - Upgrade to Hibernate ORM 6.2.9.Final and HR 2.0.5.Final
- [\#​35655](quarkusio/quarkus#35655) - Flyway does not work without default datasource 3.3
- [\#​35528](quarkusio/quarkus#35528) - flyway with one supported and one unsupported Db throws exception at startup

### [`v3.4.0`](https://github.com/quarkusio/quarkus/releases/tag/3.4.0)

[Compare Source](quarkusio/quarkus@3.3.3...3.4.0)

##### Complete changelog

- [\#​35888](quarkusio/quarkus#35888) - Restore missing parameters in OIDC Dev UI client cred and password SwaggerUI/GraphQL handlers
- [\#​35870](quarkusio/quarkus#35870) - Use default Vert.x client settings in OTel exporters
- [\#​35866](quarkusio/quarkus#35866) - Automatic TLS support in new Vert.x based open telemetry implementation
- [\#​35862](quarkusio/quarkus#35862) - Only remove OTLP trace services when otlp is not configured
- [\#​35846](quarkusio/quarkus#35846) - Fixes aggregation of configurations with two different executions ids
- [\#​35844](quarkusio/quarkus#35844) - Improve description of the duration format in configuration documentation
- [\#​35840](quarkusio/quarkus#35840) - Updates Infinispan to 14.0.17.Final
- [\#​35831](quarkusio/quarkus#35831) - Quarkus aggregate configurations from different executions that share the same goal
- [\#​35822](quarkusio/quarkus#35822) - Check that embedded property types are marked as `@Embeddable`
- [\#​35817](quarkusio/quarkus#35817) - Improve Qute + Cache integration
- [\#​35804](quarkusio/quarkus#35804) - HTTP fix response compression support
- [\#​35792](quarkusio/quarkus#35792) - Do not include in the list of property names Kubernetes config fallbacks
- [\#​35789](quarkusio/quarkus#35789) - Improve OTel Sampler docs
- [\#​35786](quarkusio/quarkus#35786) - OpenTelemetry exporter (otlp) startup dependency error when running as a Docker container image
- [\#​35784](quarkusio/quarkus#35784) - Document the ability to automatically compress rotated log files
- [\#​35778](quarkusio/quarkus#35778) - Fix generic handling of ParamConverter
- [\#​35774](quarkusio/quarkus#35774) - RESTEasy Reactive fails to handle collections of parameterized types as parameter
- [\#​35764](quarkusio/quarkus#35764) - Do not include revision and host-specific info in MANIFEST.MF
- [\#​35762](quarkusio/quarkus#35762) - Delete temporary openshift files
- [\#​35759](quarkusio/quarkus#35759) - Upgrade Smallrye OpenAPI to 3.5.2
- [\#​35757](quarkusio/quarkus#35757) - Update liquibase from 4.20.0 to 4.23.1, liquibase-mongodb to 4.23.0
- [\#​35747](quarkusio/quarkus#35747) - Large files remain in /tmp after OpenShift deployments
- [\#​35726](quarkusio/quarkus#35726) - Improve matching of config properties to a root
- [\#​35722](quarkusio/quarkus#35722) - Since quarkus 3.3.0 a WARN message unrecognized configuration key "quarkus.kubernetes.route.expose" is logged
- [\#​35718](quarkusio/quarkus#35718) - Packs libraries alongside executable in function.zip
- [\#​35713](quarkusio/quarkus#35713) - AWS Lambda extension does not pack necessary .so files when AWT is used
- [\#​35710](quarkusio/quarkus#35710) - Fix potential NPE in HTTP proxying
- [\#​35706](quarkusio/quarkus#35706) - Azure-Functions crash when X-Forwarded headers are enabled java.lang.NullPointerException
- [\#​35599](quarkusio/quarkus#35599) - Keycloak/Quarkus Issues: Dev and Prod
- [\#​35598](quarkusio/quarkus#35598) - Improve Error-Message for missing Embedabbles
- [\#​35558](quarkusio/quarkus#35558) - Widen conditions under RESTEasy Reactive Server and RESTEasy Classic Client can work together
- [\#​12260](quarkusio/quarkus#12260) - Quarkus logging with compress option

### [`v3.3.3`](https://github.com/quarkusio/quarkus/releases/tag/3.3.3)

[Compare Source](quarkusio/quarkus@3.3.2...3.3.3)

##### Complete changelog

- Fixes CVE-2023-4853
- [\#​35490](quarkusio/quarkus#35490) - Build cache - Improve cachability of service binding tests

</details>

<details>
<summary>eclipse-ee4j/parsson</summary>

### [`v1.1.4`](eclipse-ee4j/parsson@1.1.3...1.1.4)

[Compare Source](eclipse-ee4j/parsson@1.1.3...1.1.4)

### [`v1.1.3`](https://github.com/eclipse-ee4j/parsson/releases/tag/1.1.3): Parsson 1.1.3

[Compare Source](eclipse-ee4j/parsson@1.1.2...1.1.3)

#### What's Changed

- 1\.1.2 release by [@​lukasj](https://github.com/lukasj) in eclipse-ee4j/parsson#89
- [\#​91](eclipse-ee4j/parsson#91): Stack overflow error caused by jakarta.json parsing of untrusted JSON String by [@​lukasj](https://github.com/lukasj) in eclipse-ee4j/parsson#92
- update build plugins by [@​lukasj](https://github.com/lukasj) in eclipse-ee4j/parsson#93
- improve compatibility with OSGi mediator by [@​lukasj](https://github.com/lukasj) in eclipse-ee4j/parsson#96
- [\#​77](eclipse-ee4j/parsson#77): JsonTokenizer.close() recycles its buffer for each call to close() by [@​lukasj](https://github.com/lukasj) in eclipse-ee4j/parsson#97
- [\#​90](eclipse-ee4j/parsson#90): MapUtil.handle does not support Array objects by [@​lukasj](https://github.com/lukasj) in eclipse-ee4j/parsson#98

**Full Changelog**: eclipse-ee4j/parsson@1.1.2...1.1.3

</details>

<details>
<summary>smallrye/smallrye-common</summary>

### [`v2.1.2`](https://github.com/smallrye/smallrye-common/releases/tag/2.1.2)

[Compare Source](smallrye/smallrye-common@2.1.1...2.1.2)

- [\#​243](smallrye/smallrye-common#243) Release 2.1.2
- [\#​242](smallrye/smallrye-common#242) Fix substitutions for Windows OS
- [\#​241](smallrye/smallrye-common#241) GraalVM substitution problem on Windows
- [\#​240](smallrye/smallrye-common#240) Bump version.vertx from 4.4.4 to 4.4.5

### [`v2.1.1`](https://github.com/smallrye/smallrye-common/releases/tag/2.1.1)

[Compare Source](smallrye/smallrye-common@2.1.0...2.1.1)

- [\#​239](smallrye/smallrye-common#239) Release 2.1.1
- [\#​238](smallrye/smallrye-common#238) Allow reaper threads to be started at run time
- [\#​237](smallrye/smallrye-common#237) Bump io.sundr:sundr-maven-plugin from 0.100.1 to 0.100.3
- [\#​236](smallrye/smallrye-common#236) Bump org.apache.maven:maven-artifact from 3.9.3 to 3.9.4
- [\#​234](smallrye/smallrye-common#234) Bump version.graalvm from 22.3.2 to 23.0.1
- [\#​233](smallrye/smallrye-common#233) Bump module-info from 2.0 to 2.1
- [\#​232](smallrye/smallrye-common#232) Bump sundr-maven-plugin from 0.95.0 to 0.100.1
- [\#​231](smallrye/smallrye-common#231) Bump maven-artifact from 3.9.2 to 3.9.3
- [\#​230](smallrye/smallrye-common#230) Bump version.vertx from 4.4.3 to 4.4.4
- [\#​227](smallrye/smallrye-common#227) Bump smallrye-parent from 39 to 40
- [\#​226](smallrye/smallrye-common#226) Bump version.vertx from 4.4.1 to 4.4.3
- [\#​225](smallrye/smallrye-common#225) Bump sundr-maven-plugin from 0.94.0 to 0.95.0
- [\#​222](smallrye/smallrye-common#222) Bump maven-artifact from 3.9.0 to 3.9.2
- [\#​221](smallrye/smallrye-common#221) Port quiet(...) and cast(...) methods from wildfly-common
- [\#​220](smallrye/smallrye-common#220) Bump version.graalvm from 22.3.1 to 22.3.2
- [\#​218](smallrye/smallrye-common#218) Bump version.vertx from 4.4.0 to 4.4.1
- [\#​217](smallrye/smallrye-common#217) Bump asm from 9.4 to 9.5
- [\#​216](smallrye/smallrye-common#216) Support unsigned parameter range checks
- [\#​214](smallrye/smallrye-common#214) Bump version.vertx from 4.3.8 to 4.4.0

</details>

---

### Configuration

:date: **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

:vertical_traffic_light: **Automerge**: Enabled.

:recycle: **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

:ghost: **Immortal**: This MR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired.

---

* [ ] If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant