Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[#158] Update Jackson dependencies to the latest version (v2.17.2) #219

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

aureliony
Copy link
Contributor

Fixes #158.

To fix the issue with relative path serialization, ObjectMapper is modified to use ToStringSerializer for the Path class, which serializes relative paths correctly.

jackson-databind v2.7.0 and jackson-datatype-jsr310 v2.7.4 are severely
outdated, and have critical security vulnerabilities. However, newer
versions of the library serialize relative paths as absolute, causing
tests to fail when updating the dependencies. This is fixed by modifying
the ObjectMapper to use ToStringSerializer for the Path class, which
serializes relative paths correctly.

Let's update the Jackson dependencies to the latest version (v2.17.2) to
resolve the security vulnerabilities and remove the IntelliJ warning.
Copy link

canihasreview bot commented Jul 27, 2024

Click here to submit a new iteration when this PR is ready for review.

See this repository's contribution guide for more information.

@aureliony aureliony changed the title Update Jackson dependencies to latest version (v2.17.2) [#158] Update Jackson dependencies to the latest version (v2.17.2) Jul 27, 2024
Copy link

canihasreview bot commented Jul 30, 2024

v1

@aureliony submitted v1 for review.

(📚 Archive)

Checkout this PR version locally
git fetch https://github.com/se-edu/addressbook-level3.git refs/pr/219/1/head:BRANCHNAME

where BRANCHNAME is the name of the local branch you wish to fetch this PR to.

Copy link

@itstrueitstrueitsrealitsreal itstrueitstrueitsrealitsreal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other changes LGTM, but not too sure if there is a need to deserialize the newly added path.class as well.

@@ -37,7 +37,8 @@ public class JsonUtil {
.setVisibility(PropertyAccessor.FIELD, JsonAutoDetect.Visibility.ANY)
.registerModule(new SimpleModule("SimpleModule")
.addSerializer(Level.class, new ToStringSerializer())
.addDeserializer(Level.class, new LevelDeserializer(Level.class)));
.addDeserializer(Level.class, new LevelDeserializer(Level.class))
.addSerializer(Path.class, new ToStringSerializer()));

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would there be a need to deserialise the Path.class as well?

Suggested change
.addSerializer(Path.class, new ToStringSerializer()));
.addSerializer(Path.class, new ToStringSerializer())
.addDeserializer(Path.class, new PathDeserializer(Path.class)));

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By default, Jackson will use com.fasterxml.jackson.databind.ext.NioPathDeserializer to deserialize the Path class, which we should not override as it is working as expected for both absolute and relative paths.

@jyue487
Copy link
Contributor

jyue487 commented Jul 31, 2024

LGTM.

However I am not sure whether it is the best practice or not. ObjectMapper maps the file to its absolute path, therefore we have no choice but to teach our objectmapper to serialize the file to their relative paths, which is to add a Path serializer to our objectmapper module. Here comes the question, should we use ToStringSerializer or should we design a PathSerializer? I think both works fine, it's just an issue of good practices.

Otherwise, if the severity issue can be waited, I am not sure whether it is fine to just stick to the old version first.

@aureliony
Copy link
Contributor Author

LGTM.

However I am not sure whether it is the best practice or not. ObjectMapper maps the file to its absolute path, therefore we have no choice but to teach our objectmapper to serialize the file to their relative paths, which is to add a Path serializer to our objectmapper module. Here comes the question, should we use ToStringSerializer or should we design a PathSerializer? I think both works fine, it's just an issue of good practices.

Otherwise, if the severity issue can be waited, I am not sure whether it is fine to just stick to the old version first.

I am in favor of using ToStringSerializer. Even if we were to create our own custom serializer, it's gonna use path.toString() anyway (unless there's another way to get a string representation of the path?), so it would keep things much simpler. Additionally ToStringSerializer is already being used to serialize java.util.logging.Level.

Copy link
Contributor

@hjungwoo01 hjungwoo01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

The code correctly adds the Path serializer using ToStringSerializer to handle relative path serialization. The implementation is clean and follows a consistent style. Given the context, using ToStringSerializer for Path seems appropriate. The approach seems correct and should work as intended.

@ryanozx
Copy link

ryanozx commented Aug 1, 2024

Thanks for investigating the issue regarding path serialisation—this was a major blocker when upgrading the Jackson dependencies! A minor question: Why are we upgrading specifically to 2.17.2 instead of a slightly older version that does not contain the security vulnerability (which, if I recall correctly, is any version that is at least 2.13)? Can we guarantee that it is compatible with the existing modules, and are there any tests which can prove that no unintentional regressions have been introduced? Thanks!

@baskargopinath
Copy link
Contributor

LGTM, just wondering if we need to test this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Jackson Dependency has vulnerable version
6 participants