New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace JsonMapper #6265
Comments
https://github.com/cuyz/valinor seems like a decent replacement |
After exploring the possibilities provided by this library :
The only current limitation I can see is the inability to tag properties as optional. |
My understanding was that properties with default values are considered optional, am I wrong? AFAIK it should work pretty much seamlessly with the existing models (caveat: I have not tested) |
What i've tested is to create a constructor with all value at null by default. If its different than null, setting the properties. I havent tested with direct default value in the properties. |
I think the current JSON models already set default values for all optional stuff anyway, so it shouldn't be an issue. I wouldn't worry about the constructor stuff. We don't manually construct the model objects anyway. |
Is it null ? |
For posterity: Some models, like this one, currently rely on the properties in question being left as enum Undefined{
case DUMMY;
}
class Model{
public int|Undefined $mayNotBeSet = Undefined::DUMMY;
} We could also use a simple object constant, but those are a bit problematic for pmmpthread, so best avoided. |
Related issue: CuyZ/Valinor#374 |
Description
We need to replace https://github.com/cweiske/jsonmapper for JSON handling, especially in the network layer.
Justification
The following issues have been found in JsonMapper by people exploiting them in PM:
bStrictNullTypes
, but the maintainer opted not to include array type checks under this check because of BC with other projects)This is a much higher concentration of security issues than has been experienced with any other dependency, and the cause seems to be largely down to the project having a long legacy tail, dangerous defaults, and loopholes in data validation. (According to the maintainers, JsonMapper isn't intended for validating data. Doesn't make sense to me, but it is what it is.)
We're already using a fork of the project to gather some bug fixes which haven't been included in the upstream version, but I'm becoming more convinced that a more modern replacement is pretty much required.
Alternative methods
We could also:
The text was updated successfully, but these errors were encountered: