Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade to Jackson 2.9.2 #27032

Merged
merged 3 commits into from
Oct 19, 2017
Merged

Upgrade to Jackson 2.9.2 #27032

merged 3 commits into from
Oct 19, 2017

Conversation

tlrx
Copy link
Member

@tlrx tlrx commented Oct 17, 2017

This PR updates Jackson to version 2.9.2.

@tlrx tlrx added :Core/Infra/Core Core issues without another label review v7.0.0 labels Oct 17, 2017
@tlrx tlrx added WIP and removed review labels Oct 17, 2017
@@ -49,8 +47,9 @@ public FastStringReader(String s) {
* Check to make sure that the stream has not been closed
*/
private void ensureOpen() throws IOException {
if (length == -1)
if (closed) {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FastStringReader uses a length equal to -1 to indicate that the reader has been closed. But once closed, the CharSequence's length() method reports an invalid value making use of subSequence(int,int) method fail. I fixed that by adding a closed flag instead of relying on length value.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It has been caught by tests, because Jackson 2.9.2 is more descriptive than 2.8.6 when reporting JSON location in exception messages and uses CharSequence's length() method here

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense to me.

@tlrx
Copy link
Member Author

tlrx commented Oct 19, 2017

@nik9000 Thanks for review, but the PR was in WIP. I changed few things, would you like to have another look?

@tlrx tlrx added review and removed WIP labels Oct 19, 2017
Copy link
Member

@jasontedor jasontedor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Will this also be ported to 6.x?

@@ -49,8 +47,9 @@ public FastStringReader(String s) {
* Check to make sure that the stream has not been closed
*/
private void ensureOpen() throws IOException {
if (length == -1)
if (closed) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense to me.

@tlrx tlrx merged commit 0b9acc5 into elastic:master Oct 19, 2017
tlrx added a commit that referenced this pull request Oct 19, 2017
Upgrade to Jackson 2.9.2 and also use a boolean `closed` flag to
indicate that a FastStringReader instance is closed, so that length
is still correctly reported after the reader is closed.
@tlrx tlrx added the v6.1.0 label Oct 19, 2017
@tlrx
Copy link
Member Author

tlrx commented Oct 19, 2017

Will this also be ported to 6.x?

Yes

@tlrx tlrx deleted the upgrade-jackson branch October 19, 2017 13:59
@tlrx
Copy link
Member Author

tlrx commented Oct 19, 2017

Thanks @nik9000 and @jasontedor.

tlrx added a commit that referenced this pull request Oct 20, 2017
tlrx added a commit that referenced this pull request Oct 20, 2017
@tlrx
Copy link
Member Author

tlrx commented Oct 20, 2017

This pull request passed on CI here but now it is merged it is causing different types of issues on CI, so I reverted it (463e7e6 and 72b9859) until I find the cause of the errors.

@tlrx
Copy link
Member Author

tlrx commented Oct 31, 2017

After some investigation, this upgrade caused various failures because of two changes in Jackson 2.9.2:

Smile

In Jackson 2.9.2 the SMILE format is now part of the jackson-dataformats-binary project. The code has been factorized multiple times but the consequence is that the SmileParser now extends SmileParserBase (instead of ParserBase in 2.8) and correctly parses back float values.

Some elasticsearch tests like GetResultTests or GetResponseTests rely on a special treatment for float values (see RandomObjects) and they fail. This is good since the float values are now correctly parsed back but these tests have to be adapted for Jackson 2.9.

Yaml

Jackson 2.9.2 now depends on snakeyaml 1.18 (instead of 1.15) and I suspect a performance degradation in the YAML parser when reading large text values.

The entry point is in the org.yaml.snakeyaml.scanner.ScannerImpl#scanFlowScalarNonSpaces(boolean, Mark) method:

while (Constant.NULL_BL_T_LINEBR.hasNo(reader.peek(length), "\'\"\\")) {
  length++;
}

This method uses the peek() method of a org.yaml.snakeyaml.reader.StreamReader instance and this method has been changed in 1.18 to return a int instead of a char, but the new implementation is less efficient for large values.

The consequence is that parsing some values take a lot of time, it slows down all REST integration tests and some tests just time out during execution (like ingest-attachement).

I'm currently testing Jackson 2.8.10 in #27230

tlrx added a commit that referenced this pull request Nov 6, 2017
While it's not possible to upgrade the Jackson dependencies 
to their latest versions yet (see #27032 (comment) for more) 
it's still possible to upgrade to the latest 2.8.x version.
tlrx added a commit that referenced this pull request Nov 6, 2017
While it's not possible to upgrade the Jackson dependencies 
to their latest versions yet (see #27032 (comment) for more) 
it's still possible to upgrade to the latest 2.8.x version.
@msymons
Copy link

msymons commented Nov 20, 2017

Will there be a backport for v5.6.x?

This would address deserialization vulnerability CVE-2017-7525 affecting transitive dependency jackson-databind v2.8.6

@tlrx
Copy link
Member Author

tlrx commented Nov 20, 2017

@msymons This pull request has been reverted. What you're looking for is #27361 which has been backported to the current 5.6.x maintenance branch but not released.

@msymons
Copy link

msymons commented Nov 20, 2017

@tlrx. My apologies… somehow, I had ended up making my comment above in the wrong browser tab! I had seen the reversion that you refer to and had meant to add my comment to #27230 (which does not (yet) reference v5.6.5 ). Is not #27361 related just to AWS SDK?

@jasontedor
Copy link
Member

Is not #27361 related just to AWS SDK?

@msymons The databind artifact is only used as transitive dependencies in discovery-ec2, repository-s3, and ingest-geoip. From #27361 we have upgraded that dependency to a patched version for the plugins that use the AWS SDK. For ingest-geoip, we have to wait until core has its core Jackson dependency upgraded (at this PR was doing). The usage of jackson-databind in that plugin is tightly scoped. Otherwise, there are no other uses for databind within Elasticsearch.

@tlrx
Copy link
Member Author

tlrx commented Jun 14, 2018

I tested Jackson 2.9.6 and I reported this issue in jackson-dataformats-text. Binary values can be encoded in YAML but not decoded when it exceeds a given size.

@tlrx
Copy link
Member Author

tlrx commented Oct 23, 2018

I tested Jackson 2.9.7 and still the same issue.

@nkomissar
Copy link

hi tlrx, I can see the issue you've found is fixed in 2.9.9/2.10.0, does it make possible upgrading Jackson?
In my company, we would like to use elasticsearch but it's blocked by Security due to vulnerabilities in 2.8.11.

Thanks!

@jasontedor
Copy link
Member

I want to make explicit here that Elasticsearch is not exposed to the vulnerabilities in 2.8.11.

@nkomissar
Copy link

Can you please elaborate or provide some link where I can find more info to satisfy our Security? This will be greatly appreciated!

@jasontedor
Copy link
Member

Elasticsearch does not use any of the functionality related to the exploits, we are not exposed to any of the issues related to polymorphic deserialization at all. Does that help?

@nkomissar
Copy link

Thank you. I will talk to the AppSec folks and will see :)

@msymons
Copy link

msymons commented Jun 17, 2019

@jasontedor

Elasticsearch does not use any of the functionality related to the exploits, we are not exposed to any of the issues related to polymorphic deserialization at all. Does that help?

I totally understand that Elasticsearch has no exposure to any of the jackson-databind issues. However, projects using Elasticsearch and other dependencies that ARE vulnerable to the jackson-databind issues (meaning that the other dependencies must use jackson 2.9.9) does make for problems with dependency management.

Additionally, using out of date components does lead to operational-risk warnings from analysers such as Nexus-IQ

However, I would hope that updating to 2.9.9 would provide its own benefits in terms of functionality, etc. But I am not a developer and so cannot opine too much on that aspect.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
:Core/Infra/Core Core issues without another label
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants