search

FasterXML / jackson-dataformats-binary

Uber-project for standard Jackson binary format backends: avro, cbor, ion, protobuf, smile
Apache License 2.0
316 stars 136 forks source link

CVE in avro prior to v1.11.3 #401

Closed pjfanning closed 1 year ago

pjfanning commented 1 year ago

https://lists.apache.org/thread/wcj1747hvyl7qjhrfr6d6j1l62hvpr5l https://www.cve.org/CVERecord?id=CVE-2023-39410 https://issues.apache.org/jira/browse/AVRO-3819

Upgrading dependency in this repo breaks numerous tests. Existing dependency is on v1.8.2.

[INFO] Results:
[INFO] 
[ERROR] Failures: 
[ERROR]   AvroAliasTest.testAliasedEnumForwardsCompatible:113 expected:<[]COMPATIBLE> but was:<[IN]COMPATIBLE>
[ERROR]   AvroAliasTest.testAliasedEnumForwardsCompatible:113 expected:<[]COMPATIBLE> but was:<[IN]COMPATIBLE>
[ERROR]   AvroAliasTest.testAliasedEnumForwardsCompatible:113 expected:<[]COMPATIBLE> but was:<[IN]COMPATIBLE>
[ERROR]   AvroAliasTest.testAliasedEnumForwardsCompatible:113 expected:<[]COMPATIBLE> but was:<[IN]COMPATIBLE>
[ERROR]   AvroAliasTest.testAliasedRecordForwardsCompatible:69 expected:<[]COMPATIBLE> but was:<[IN]COMPATIBLE>
[ERROR]   AvroAliasTest.testAliasedRecordForwardsCompatible:69 expected:<[]COMPATIBLE> but was:<[IN]COMPATIBLE>
[ERROR]   AvroAliasTest.testAliasedRecordForwardsCompatible:69 expected:<[]COMPATIBLE> but was:<[IN]COMPATIBLE>
[ERROR]   AvroAliasTest.testAliasedRecordForwardsCompatible:69 expected:<[]COMPATIBLE> but was:<[IN]COMPATIBLE>
[ERROR] Errors: 
[ERROR]   SerializeGeneratedTest.testWriteGeneratedEvent:18 » JsonMapping No field named 'specificData' (through reference chain: com.fasterxml.jackson.dataformat.avro.gen.Event35["specificData"])
[ERROR]   UnionTest.testInterfaceUnionWithCat:125->InteropTestBase.roundTrip:131->InteropTestBase.roundTrip:151 » UnresolvedUnion Not in union ["null",{"type":"record","name":"Cat","namespace":"com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$","fields":[{"name":"color","type":["null","string"]}]},{"type":"record","name":"Dog","namespace":"com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$","fields":[{"name":"size","type":{"type":"int","java-class":"java.lang.Integer"}}]}]: com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$Cat@55d9b8f0 (field=animal)
[ERROR]   UnionTest.testInterfaceUnionWithCat:125->InteropTestBase.roundTrip:131->InteropTestBase.roundTrip:151 » UnresolvedUnion Not in union ["null",{"type":"record","name":"Cat","namespace":"com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$","fields":[{"name":"color","type":["null","string"]}]},{"type":"record","name":"Dog","namespace":"com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$","fields":[{"name":"size","type":{"type":"int","java-class":"java.lang.Integer"}}]}]: com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$Cat@f288c14 (field=animal)
[ERROR]   UnionTest.testInterfaceUnionWithDog:134->InteropTestBase.roundTrip:131->InteropTestBase.roundTrip:151 » UnresolvedUnion Not in union ["null",{"type":"record","name":"Cat","namespace":"com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$","fields":[{"name":"color","type":["null","string"]}]},{"type":"record","name":"Dog","namespace":"com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$","fields":[{"name":"size","type":{"type":"int","java-class":"java.lang.Integer"}}]}]: com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$Dog@3419e23b (field=animal)
[ERROR]   UnionTest.testInterfaceUnionWithDog:134->InteropTestBase.roundTrip:131->InteropTestBase.roundTrip:151 » UnresolvedUnion Not in union ["null",{"type":"record","name":"Cat","namespace":"com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$","fields":[{"name":"color","type":["null","string"]}]},{"type":"record","name":"Dog","namespace":"com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$","fields":[{"name":"size","type":{"type":"int","java-class":"java.lang.Integer"}}]}]: com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$Dog@16872c4d (field=animal)
[ERROR]   UnionTest.testListWithInterfaceUnion:155->InteropTestBase.roundTrip:131->InteropTestBase.roundTrip:151 » UnresolvedUnion Not in union ["null",{"type":"array","items":[{"type":"record","name":"Cat","namespace":"com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$","fields":[{"name":"color","type":["null","string"]}]},{"type":"record","name":"Dog","namespace":"com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$","fields":[{"name":"size","type":{"type":"int","java-class":"java.lang.Integer"}}]}]}]: [com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$Cat@a18649a, com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$Dog@5c534b5b, com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$Dog@396639b, com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$Cat@2b22a1cc] (field=pets)
[ERROR]   UnionTest.testListWithInterfaceUnion:155->InteropTestBase.roundTrip:131->InteropTestBase.roundTrip:151 » UnresolvedUnion Not in union ["null",{"type":"array","items":[{"type":"record","name":"Cat","namespace":"com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$","fields":[{"name":"color","type":["null","string"]}]},{"type":"record","name":"Dog","namespace":"com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$","fields":[{"name":"size","type":{"type":"int","java-class":"java.lang.Integer"}}]}]}]: [com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$Cat@3f92a84e, com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$Dog@cf67838, com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$Dog@6137cf6e, com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$Cat@7942a854] (field=pets)
[ERROR]   UnionTest.testMapWithInterfaceUnion:166->InteropTestBase.roundTrip:131->InteropTestBase.roundTrip:151 » UnresolvedUnion Not in union ["null",{"type":"array","items":[{"type":"record","name":"Cat","namespace":"com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$","fields":[{"name":"color","type":["null","string"]}]},{"type":"record","name":"Dog","namespace":"com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$","fields":[{"name":"size","type":{"type":"int","java-class":"java.lang.Integer"}}]}]}]: [com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$Cat@1b9776f5, com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$Dog@5e048149, com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$Dog@79d9214d, com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$Cat@3d5790ea] (field=pets)
[ERROR]   UnionTest.testMapWithInterfaceUnion:166->InteropTestBase.roundTrip:131->InteropTestBase.roundTrip:151 » UnresolvedUnion Not in union ["null",{"type":"array","items":[{"type":"record","name":"Cat","namespace":"com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$","fields":[{"name":"color","type":["null","string"]}]},{"type":"record","name":"Dog","namespace":"com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$","fields":[{"name":"size","type":{"type":"int","java-class":"java.lang.Integer"}}]}]}]: [com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$Cat@56f521c6, com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$Dog@680a66dd, com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$Dog@2dd8239, com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$Cat@472698d] (field=pets)
[ERROR]   UnionTest.testRootUnionWithAnimal:116->InteropTestBase.roundTrip:151 » UnresolvedUnion Not in union [{"type":"record","name":"Cat","namespace":"com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$","fields":[{"name":"color","type":["null","string"]}]},{"type":"record","name":"Dog","namespace":"com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$","fields":[{"name":"size","type":{"type":"int","java-class":"java.lang.Integer"}}]}]: com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$Cat@14229fa7
[ERROR]   UnionTest.testRootUnionWithAnimal:116->InteropTestBase.roundTrip:151 » UnresolvedUnion Not in union [{"type":"record","name":"Cat","namespace":"com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$","fields":[{"name":"color","type":["null","string"]}]},{"type":"record","name":"Dog","namespace":"com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$","fields":[{"name":"size","type":{"type":"int","java-class":"java.lang.Integer"}}]}]: com.fasterxml.jackson.dataformat.avro.interop.annotations.UnionTest$Cat@33a3c44a
[ERROR]   RecordWithComplexTest.testRecordWithOptionalEnumField:87->InteropTestBase.roundTrip:151 » UnresolvedUnion Not in union ["null",{"type":"enum","name":"DummyEnum","namespace":"com.fasterxml.jackson.dataformat.avro.interop.InteropTestBase$","symbols":["NORTH","SOUTH","EAST","WEST"]}]: SOUTH (field=optionalEnum)
[ERROR]   RecordWithComplexTest.testRecordWithOptionalEnumField:87->InteropTestBase.roundTrip:151 » UnresolvedUnion Not in union ["null",{"type":"enum","name":"DummyEnum","namespace":"com.fasterxml.jackson.dataformat.avro.interop.InteropTestBase$","symbols":["NORTH","SOUTH","EAST","WEST"]}]: SOUTH (field=optionalEnum)
[ERROR]   RecordEvolutionTest.testEvolutionInvolvingComplexRecords:140 » AvroType Invalid default for field name: null not a ["string","null"]
cowtowncoder commented 1 year ago

Correct, newer Apache Avro libraries are not backwards compatible with version against which Avro module is written. There is an existing issue for this.

pjfanning commented 1 year ago

closing due to #167