search

metosin / jsonista

Clojure library for fast JSON encoding and decoding.
https://cljdoc.org/d/metosin/jsonista
Eclipse Public License 2.0
415 stars 30 forks source link

Change in behaviour - 0.3.8 -> 0.3.9 #77

Open lowecg opened 3 months ago

lowecg commented 3 months ago

There's a change in behaviour between 0.3.8 and 0.3.9 with how errors are reported in the exception message. The source is now redacted from the error message.

That seems like a more secure default, but is there a way to control this in the options to get the same behaviour as before?

0.3.8

(require '[jsonista.core :as j])

(j/read-value "{\"result\": \"value\"" j/keyword-keys-object-mapper)
Execution error (JsonEOFException) at com.fasterxml.jackson.core.base.ParserMinimalBase/_reportInvalidEOF (ParserMinimalBase.java:697).
Unexpected end-of-input: expected close marker for Object (start marker at [Source: (String)"{"result": "value""; line: 1, column: 1])
 at [Source: (String)"{"result": "value""; line: 1, column: 19]

0.3.9

(require '[jsonista.core :as j])

(j/read-value "{\"result\": \"value\"" j/keyword-keys-object-mapper)

Execution error (JsonEOFException) at com.fasterxml.jackson.core.base.ParserMinimalBase/_reportInvalidEOF (ParserMinimalBase.java:585).
Unexpected end-of-input: expected close marker for Object (start marker at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 1])
 at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 19]

A likely cause is that the jackson deps have jumped and I'm not sure if that was intentional or not. I only say this because the 0.3.9 release notes say that you use 2.15.2 even though 2.17.1 is available, but jsonista's definitely using 2.17.1 now.

[com.fasterxml.jackson.core/jackson-core "2.17.1"] is available but we use "2.15.2" [com.fasterxml.jackson.core/jackson-databind "2.17.1"] is available but we use "2.15.2" [com.fasterxml.jackson.datatype/jackson-datatype-jsr310 "2.17.1"] is available but we use "2.15.2"

0.3.8

echo '{:deps {metosin/jsonista {:mvn/version "0.3.8"}}}' > deps.edn

clj -Xdeps tree
org.clojure/clojure 1.11.3
  . org.clojure/spec.alpha 0.3.218
  . org.clojure/core.specs.alpha 0.2.62
metosin/jsonista 0.3.8
  . com.fasterxml.jackson.core/jackson-core 2.15.2
  . com.fasterxml.jackson.core/jackson-databind 2.15.2
    . com.fasterxml.jackson.core/jackson-annotations 2.15.2
    . com.fasterxml.jackson.core/jackson-core 2.15.2
  . com.fasterxml.jackson.datatype/jackson-datatype-jsr310 2.15.2
    . com.fasterxml.jackson.core/jackson-annotations 2.15.2
    . com.fasterxml.jackson.core/jackson-core 2.15.2
    . com.fasterxml.jackson.core/jackson-databind 2.15.2

0.3.9

echo '{:deps {metosin/jsonista {:mvn/version "0.3.9"}}}' > deps.edn

clj -Xdeps tree
org.clojure/clojure 1.11.3
  . org.clojure/spec.alpha 0.3.218
  . org.clojure/core.specs.alpha 0.2.62
metosin/jsonista 0.3.9
  . com.fasterxml.jackson.core/jackson-core 2.17.1
  . com.fasterxml.jackson.core/jackson-databind 2.17.1
    . com.fasterxml.jackson.core/jackson-annotations 2.17.1
    . com.fasterxml.jackson.core/jackson-core 2.17.1
  . com.fasterxml.jackson.datatype/jackson-datatype-jsr310 2.17.1
    . com.fasterxml.jackson.core/jackson-annotations 2.17.1
    . com.fasterxml.jackson.core/jackson-core 2.17.1
    . com.fasterxml.jackson.core/jackson-databind 2.17.1
ikitommi commented 3 months ago

Thanks for reporting! We want to use latest Jackson version for security updates. Could you look the Release Notes of Jackson (https://github.com/FasterXML/jackson/wiki/Jackson-Releases) to see if there are options how to manage how this works now.