pjfanning
commented
1 year ago closing as you can use woodstox to do the nesting check
Closed pjfanning closed 1 year ago
pjfanning
commented
1 year ago closing as you can use woodstox to do the nesting check
cowtowncoder
commented
1 year ago Yeah this is tricky. On one hand I agree, use of native facilities is generally better way. At the same time, shared configurability and checking has its benefits; including but not limited to Jackson-specific exceptions, context.
To further complicate things, theoretically nesting levels between actual XML and logical "converted" JSON events can have slight discrepancy too.
So for now I think let's use Jackson's new checks and not change Woodstox defaults. We can revisit this in future as necessary.
pjfanning
commented
1 year ago Maybe worth having the 2 ways to check for depth (woodstox and jackson-specific). I'm still going to treat this as a lower priority than adding nesting check for Smile and CBOR formats. Possibly, other dataformats too.
There is already a StreamReadConstraints setting that is not implemented as Jackson-specific - that you need to use Woodstox config - https://github.com/FasterXML/jackson-dataformat-xml/issues/571
StreamReadConstraints number len check is applied though
cowtowncoder
commented
1 year ago Ah. Yes... String length checks would be much more efficient to apply at Woodstox level.
relies on https://github.com/FasterXML/jackson-core/pull/943
It may be better to doc that StreamReadConstraints is ignored for jackson-dataformat-xml and that users are better off using WstxInputFactory and creating XmlMapper using an instance of WstxInputFactory.
WstxInputFactory.getConfig() gives you a ReaderConfig which already has a default max element depth of 1000.
https://fasterxml.github.io/woodstox/javadoc/6.0/com/ctc/wstx/api/ReaderConfig.html