I'll take a look Thank you Le mar. 16 mai 2023, 16:18, Matt Pavlovich <[email protected]> a écrit :
> Yeah, I think we could move to some sort of statically generated JSON text > writer— esp for the PersistenceAdapterView.java. > > A quick scan shows one use of an unmarshaller (which is where most > security problems come from). Perhaps we deprecate that function and > convert the functionality to use a different syntax for the destination > filtering. > > Classes using an import from com.fasterxml.jackson. > > > ./activemq-partition/src/main/java/org/apache/activemq/partition/dto/Partitioning.java > > ./activemq-partition/src/main/java/org/apache/activemq/partition/dto/Target.java > > ./activemq-console/src/main/java/org/apache/activemq/console/command/store/StoreExporter.java > > ./activemq-broker/src/test/java/org/apache/activemq/broker/view/BrokerDestinationViewTest.java > > ./activemq-broker/src/main/java/org/apache/activemq/broker/jmx/DestinationsViewFilter.java > > ./activemq-broker/src/main/java/org/apache/activemq/broker/jmx/PersistenceAdapterView.java > > Thanks, > Matt Pavlovich > > > On May 16, 2023, at 8:44 AM, Jean-Louis Monteiro < > [email protected]> wrote: > > > > Yes I remember the discussion. > > To be honest, as I was mentioning, even JSON-B/P is probably overkill for > > what we need. > > > > Happy to craft up a PR so we can it discuss there and see if that is > > feasible for 5.19.x > > -- > > Jean-Louis Monteiro > > http://twitter.com/jlouismonteiro > > http://www.tomitribe.com > > > > > > On Tue, May 16, 2023 at 3:37 PM Matt Pavlovich <[email protected]> > wrote: > > > >> Hello Jean-Louis- > >> > >> This has come up in the past. Iirc, the discussion was leaning towards > >> using json-b and then Jackson as the out-of-the-box provider. > >> > >> This sounds like a good change for 5.19.x line > >> > >> Thanks, > >> -Matt Pavlovich > >> > >>> On May 16, 2023, at 5:17 AM, Jean-Louis Monteiro < > >> [email protected]> wrote: > >>> > >>> Hi all, > >>> > >>> Jackson seems to be frequently affected by CVEs and it's really a pain > >> for > >>> users. > >>> > >>> Looks like Jackson is only used in the WebConsole to read/write a few > >>> attributes. I'm sure we can get rid of it and either use a standard API > >> so > >>> one can plugin any implementation, or just write down a utility class > to > >>> parse the small attribute we have to. > >>> > >>> thoughts? > >>> > >>> I'm happy to do a PR to remove it if that's the consensus. > >>> > >>> -- > >>> Jean-Louis Monteiro > >>> http://twitter.com/jlouismonteiro > >>> http://www.tomitribe.com > >> > >> > >
