Hi everyone, I want to take another stab at TINKERPOP-2948 with the upgrade to Jackson 2.15. There are some breaking changes which must be noted here. Jackson 2.15 introduces max token size limits for parsing string and numeric literals. There is also a new limit on JSON nesting depth in Jackson. The default values for these in Jackson are 20M chars for strings, 1000 chars for numbers, and a max nesting depth of 1000.
My proposal is that we set our own default limits in TinkerPop such that we do not reasonably expect any users to exceed the defaults. The only Jackson default that concerns me in this regard is the max number length as it is already exceeded by one of our tests (g_withSackXBigInteger_TEN_powX1000X_assignX_V_localXoutXknowsX_barrierXnormSackXX_inXknowsX_barrier_sack). My suggestion is to set the TinkerPop default limit as 10 000 chars for numbers and assume the other defaults from Jackson. Further I would suggest we add config options such as “maxJsonStringLength”, “maxJsonNumberLength”, and “maxJsonNestingDepth” to both the Java driver and server so that it is possible for users to overcome these limits if needed. Since this change is security motivated and the impact to users is minimal, I would suggest we proceed with implementing this change in 3.5-dev. Regards, Cole Greer
