-
Notifications
You must be signed in to change notification settings - Fork 24.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade to Jackson 2.9.2 #27032
Upgrade to Jackson 2.9.2 #27032
Conversation
event when it's closed
@@ -49,8 +47,9 @@ public FastStringReader(String s) { | |||
* Check to make sure that the stream has not been closed | |||
*/ | |||
private void ensureOpen() throws IOException { | |||
if (length == -1) | |||
if (closed) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FastStringReader uses a length equal to -1 to indicate that the reader has been closed. But once closed, the CharSequence's length() method reports an invalid value making use of subSequence(int,int) method fail. I fixed that by adding a closed flag instead of relying on length value.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It has been caught by tests, because Jackson 2.9.2 is more descriptive than 2.8.6 when reporting JSON location in exception messages and uses CharSequence's length() method here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense to me.
@nik9000 Thanks for review, but the PR was in WIP. I changed few things, would you like to have another look? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Will this also be ported to 6.x?
@@ -49,8 +47,9 @@ public FastStringReader(String s) { | |||
* Check to make sure that the stream has not been closed | |||
*/ | |||
private void ensureOpen() throws IOException { | |||
if (length == -1) | |||
if (closed) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense to me.
Upgrade to Jackson 2.9.2 and also use a boolean `closed` flag to indicate that a FastStringReader instance is closed, so that length is still correctly reported after the reader is closed.
Yes |
Thanks @nik9000 and @jasontedor. |
After some investigation, this upgrade caused various failures because of two changes in Jackson 2.9.2: SmileIn Jackson 2.9.2 the SMILE format is now part of the Some elasticsearch tests like GetResultTests or GetResponseTests rely on a special treatment for float values (see RandomObjects) and they fail. This is good since the float values are now correctly parsed back but these tests have to be adapted for Jackson 2.9. YamlJackson 2.9.2 now depends on snakeyaml 1.18 (instead of 1.15) and I suspect a performance degradation in the YAML parser when reading large text values. The entry point is in the
This method uses the The consequence is that parsing some values take a lot of time, it slows down all REST integration tests and some tests just time out during execution (like ingest-attachement). I'm currently testing Jackson 2.8.10 in #27230 |
While it's not possible to upgrade the Jackson dependencies to their latest versions yet (see #27032 (comment) for more) it's still possible to upgrade to the latest 2.8.x version.
While it's not possible to upgrade the Jackson dependencies to their latest versions yet (see #27032 (comment) for more) it's still possible to upgrade to the latest 2.8.x version.
Will there be a backport for v5.6.x? This would address deserialization vulnerability CVE-2017-7525 affecting transitive dependency jackson-databind v2.8.6 |
@msymons The databind artifact is only used as transitive dependencies in discovery-ec2, repository-s3, and ingest-geoip. From #27361 we have upgraded that dependency to a patched version for the plugins that use the AWS SDK. For ingest-geoip, we have to wait until core has its core Jackson dependency upgraded (at this PR was doing). The usage of jackson-databind in that plugin is tightly scoped. Otherwise, there are no other uses for databind within Elasticsearch. |
I tested Jackson 2.9.6 and I reported this issue in jackson-dataformats-text. Binary values can be encoded in YAML but not decoded when it exceeds a given size. |
I tested Jackson 2.9.7 and still the same issue. |
hi tlrx, I can see the issue you've found is fixed in 2.9.9/2.10.0, does it make possible upgrading Jackson? Thanks! |
I want to make explicit here that Elasticsearch is not exposed to the vulnerabilities in 2.8.11. |
Can you please elaborate or provide some link where I can find more info to satisfy our Security? This will be greatly appreciated! |
Elasticsearch does not use any of the functionality related to the exploits, we are not exposed to any of the issues related to polymorphic deserialization at all. Does that help? |
Thank you. I will talk to the AppSec folks and will see :) |
I totally understand that Elasticsearch has no exposure to any of the jackson-databind issues. However, projects using Elasticsearch and other dependencies that ARE vulnerable to the jackson-databind issues (meaning that the other dependencies must use jackson 2.9.9) does make for problems with dependency management. Additionally, using out of date components does lead to operational-risk warnings from analysers such as Nexus-IQ However, I would hope that updating to 2.9.9 would provide its own benefits in terms of functionality, etc. But I am not a developer and so cannot opine too much on that aspect. |
This PR updates Jackson to version 2.9.2.