johnzon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Romain Manni-Bucau (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (JOHNZON-146) Mapper json processing should use the order in the Json, not setters
Date Thu, 12 Apr 2018 15:30:00 GMT

    [ https://issues.apache.org/jira/browse/JOHNZON-146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16435766#comment-16435766
] 

Romain Manni-Bucau commented on JOHNZON-146:
--------------------------------------------

Isnt it too dangerous? The java is fully controlled by the user and he can say "read type
before value" for instance, if we respect json we are open to injection and hacks pby.

> Mapper json processing should use the order in the Json, not setters
> --------------------------------------------------------------------
>
>                 Key: JOHNZON-146
>                 URL: https://issues.apache.org/jira/browse/JOHNZON-146
>             Project: Johnzon
>          Issue Type: Bug
>          Components: JSON-B, Mapper
>    Affects Versions: 1.1.5
>            Reporter: Mark Struberg
>            Assignee: Mark Struberg
>            Priority: Minor
>             Fix For: 1.1.8
>
>
> Currently we do a loop over all the getters and try to find the attribute in the JSON.
> But for deduplicateObjects handling one might end up getting a JsonPointer before the
original object got processed. 
> This means that we should do it exactly the other way around: loop over the json attributes
and then use the setter accordingly.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message