Replace JsonMapper

[dktapps]

Description

We need to replace https://github.com/cweiske/jsonmapper for JSON handling, especially in the network layer.

Justification

The following issues have been found in JsonMapper by people exploiting them in PM:

• Fixed E_* warnings generated by arrays and objects assigned to scalars cweiske/jsonmapper#210
• Do not accept null in typed arrays cweiske/jsonmapper#211 (this one should actually be covered by bStrictNullTypes, but the maintainer opted not to include array type checks under this check because of BC with other projects)
• Fixed bStrictObjectTypeChecking not enforced for array elements cweiske/jsonmapper#225

This is a much higher concentration of security issues than has been experienced with any other dependency, and the cause seems to be largely down to the project having a long legacy tail, dangerous defaults, and loopholes in data validation. (According to the maintainers, JsonMapper isn't intended for validating data. Doesn't make sense to me, but it is what it is.)

We're already using a fork of the project to gather some bug fixes which haven't been included in the upstream version, but I'm becoming more convinced that a more modern replacement is pretty much required.

Alternative methods

We could also:

• Make some sorely-needed JsonMapper BC breaks in our fork
• Keep playing whack-a-mole with bugs

[dktapps]

https://github.com/cuyz/valinor seems like a decent replacement

[ShockedPlot7560]

https://github.com/cuyz/valinor seems like a decent replacement

After exploring the possibilities provided by this library :

1. The rewriting of JsonMapper -> Valinor works very well, the structure is practically the same with similar functions.
2. It is not possible to tag properties as optional unless you create a constructor with optional parameters for each class mapping (annoying).
3. Customisation and configuration seem simpler, allowing more things to be done
4. It isnt possible to deal with objet, only array or file is allowed.

The only current limitation I can see is the inability to tag properties as optional.

[dktapps]

It is not possible to tag properties as optional unless you create a constructor with optional parameters for each class mapping (annoying).

My understanding was that properties with default values are considered optional, am I wrong? AFAIK it should work pretty much seamlessly with the existing models (caveat: I have not tested)

[ShockedPlot7560]

What i've tested is to create a constructor with all value at null by default. If its different than null, setting the properties.

I havent tested with direct default value in the properties.
The annoying side of this stay in the need to write all this constructor or default value in properties (which can cause unexpected bug if its set directly)

[dktapps]

I think the current JSON models already set default values for all optional stuff anyway, so it shouldn't be an issue.

I wouldn't worry about the constructor stuff. We don't manually construct the model objects anyway.

[ShockedPlot7560]

I think the current JSON models already set default values for all optional stuff anyway, so it shouldn't be an issue.

Is it null ?

[dktapps]

For posterity: Some models, like this one, currently rely on the properties in question being left as uninitialized when the corresponding JSON data isn't present. This will require some tweaks to work with Valinor, but it should be as easy as setting null defaults for most cases, or perhaps something like this:

enum Undefined{
    case DUMMY;
}

class Model{
    public int|Undefined $mayNotBeSet = Undefined::DUMMY;
}

We could also use a simple object constant, but those are a bit problematic for pmmpthread, so best avoided.

[dktapps]

Related issue: CuyZ/Valinor#374