Abacn commented on PR #37969:
URL: https://github.com/apache/beam/pull/37969#issuecomment-4137796281
In the past there were security fixes caused regressions: #26743. From 2.15
to 2.18 there are several more:
Gemini said
```
1. Expansion of "Processing Limits" (2.16 & 2.18)
Building on the string/nesting limits introduced in 2.15, 2.16 and 2.18
added new constraints. If your JSON exceeds these, you will now get a
StreamConstraintsException.
Max Property Name Length (2.16): Limits the length of JSON keys (Object
property names). The default is 50,000 characters.
Max Token Count (2.18): A new limit on the total number of tokens (e.g., {,
}, "key", true) allowed in a single document. This is designed to stop
"low-bandwidth DoS" where a small file (like [[[[...]]]]) consumes massive
memory during tree building.
Note: It is currently unlimited by default, but many security-hardened
configurations now suggest setting a limit.
Output Nesting Limit (2.16): Jackson now limits how deep your Java objects
can be nested when writing JSON (default 1,000 levels).
2. Security: Redacted Source Locations (2.16)
In 2.15, if a parsing error occurred, the exception message often included a
snippet of the source JSON.
The Change: Starting in 2.16, StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION
is set to false by default.
The Impact: Your error logs will no longer show the actual JSON snippet
causing the error; it will simply say REDACTED. This is to prevent sensitive
data (PII/passwords) from leaking into logs.
How to revert:
Java
JsonFactory factory = JsonFactory.builder()
.enable(StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION)
.build();
3. Major Rewrite: Property Introspection (2.18)
Version 2.18 includes a massive internal rewrite of how Jackson "looks" at
your classes to find getters, setters, and constructors.
The Goal: Unify the logic for POJOs, Records, and Kotlin data classes.
Potential "Break": While mostly compatible, if you relied on very specific,
undocumented behavior regarding how @JsonCreator interacted with implicit
parameter names or "annotation-less" constructors, you might see changes in
which constructor Jackson picks by default.
Better Record Support: This rewrite finally fixes several long-standing bugs
where @JsonAnySetter wouldn't work correctly with Java Records.
```
is there potential concern for these listed changes and/or there are others
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
