This is an automated email from the ASF dual-hosted git repository.
colegreer pushed a commit to branch 3.5-dev
in repository https://gitbox.apache.org/repos/asf/tinkerpop.git
The following commit(s) were added to refs/heads/3.5-dev by this push:
new 08559317c7 TINKERPOP-2948 bump jackson databind to 2.15.0 (#2139)
08559317c7 is described below
commit 08559317c7e1c9c783ac6a88c6b8cb4bb569cb79
Author: Cole Greer <112986082+cole-gr...@users.noreply.github.com>
AuthorDate: Mon Jul 17 14:48:30 2023 -0700
TINKERPOP-2948 bump jackson databind to 2.15.0 (#2139)
* TINKERPOP-2948 bump jackson databind to 2.15.0
Update maven-shade-plugin
* TINKERPOP-2948 Add StreamReadConstraints config to GraphSON serializers
With the upgrade to jackson 2.15.0, new StreamReadConstraints are
introduced which set certain max token sizes for deserialization.
This commit is adding configuration options to all GraphSON serializers
to define maxNumberLength, maxStringLength, and maxNestingDepth options.
Also includes a small change to the shade plugin to stop generating
dependency-reduced-pom.xml's as they were leading to dependency
related build problems throughout the project.
---------
Co-authored-by: Aaron Coady <aco...@ca.ibm.com>
---
CHANGELOG.asciidoc | 2 +
docs/src/upgrade/release-3.5.x.asciidoc | 14 ++++
.../structure/io/graphson/GraphSONMapper.java | 25 +++++-
.../io/graphson/GraphSONStreamConstraintsTest.java | 93 ++++++++++++++++++++++
.../ser/AbstractGraphSONMessageSerializerV1d0.java | 16 ++++
.../ser/AbstractGraphSONMessageSerializerV2d0.java | 16 ++++
.../gremlin/driver/ClusterConfigTest.java | 72 +++++++++++++++++
.../AbstractGraphSONMessageSerializerV1d0Test.java | 53 ++++++++++++
.../AbstractGraphSONMessageSerializerV2d0Test.java | 53 ++++++++++++
gremlin-shaded/pom.xml | 2 +-
pom.xml | 5 +-
11 files changed, 348 insertions(+), 3 deletions(-)
diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
index 0471d6fbaa..bd05427e69 100644
--- a/CHANGELOG.asciidoc
+++ b/CHANGELOG.asciidoc
@@ -23,6 +23,8 @@
image::https://raw.githubusercontent.com/apache/tinkerpop/master/docs/static/ima
[[release-3-5-7]]
=== TinkerPop 3.5.7 (Release Date: NOT OFFICIALLY RELEASED YET)
+* Bumped `jackson-databind` to 2.15.2 to fix security vulnerability.
+* Introduced `maxNumberLength`, `maxStringLength`, and `maxNestingDepth`
configs for `GraphSON` serializers.
* Fixed a memory leak in the Gremlin.Net driver that only occurred if a
CancellationToken was provided.
* Fixed gremlin-python `Client` problem where calling `submit()` after`
`close()` would hang the system.
* Added `gremlin.spark.dontDeleteNonEmptyOutput` to stop deleting the output
folder if it is not empty in `spark-gremlin`.
diff --git a/docs/src/upgrade/release-3.5.x.asciidoc
b/docs/src/upgrade/release-3.5.x.asciidoc
index acc54af038..d7ea18c3c7 100644
--- a/docs/src/upgrade/release-3.5.x.asciidoc
+++ b/docs/src/upgrade/release-3.5.x.asciidoc
@@ -32,6 +32,20 @@ complete list of all the modifications that are part of this
release.
`gremlin-javascript` and `gremlint` have upgraded from Node 10 to Node 16 as
Node 10 has passed end of life.
`gremlin-go` has upgraded from Go 1.17 to Go 1.20 as Go 1.20 has passed end of
life.
+Introduced max number length (10000 chars), string length (20 000 000 chars),
and nesting depth (1000)
+constraints for GraphSON deserialization due to security vulnerabilities with
earlier versions of Jackson Databind.
+New constraints are not expected to impact most users but can be overriden via
GraphSONMapper.Builder or through serializer configuration.
+Example:
+```
+serializers:
+ - { className:
org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV3d0,
+ config: {
+ maxNumberLength: 500,
+ maxStringLength: 500,
+ maxNestingDepth: 500
+ }
+ }
+```
== TinkerPop 3.5.6
diff --git
a/gremlin-core/src/main/java/org/apache/tinkerpop/gremlin/structure/io/graphson/GraphSONMapper.java
b/gremlin-core/src/main/java/org/apache/tinkerpop/gremlin/structure/io/graphson/GraphSONMapper.java
index fdd421382d..562f2a1379 100644
---
a/gremlin-core/src/main/java/org/apache/tinkerpop/gremlin/structure/io/graphson/GraphSONMapper.java
+++
b/gremlin-core/src/main/java/org/apache/tinkerpop/gremlin/structure/io/graphson/GraphSONMapper.java
@@ -22,7 +22,9 @@ import org.apache.tinkerpop.gremlin.structure.Graph;
import org.apache.tinkerpop.gremlin.structure.io.IoRegistry;
import org.apache.tinkerpop.gremlin.structure.io.Mapper;
import org.apache.tinkerpop.shaded.jackson.annotation.JsonTypeInfo;
+import org.apache.tinkerpop.shaded.jackson.core.JsonFactory;
import org.apache.tinkerpop.shaded.jackson.core.JsonGenerator;
+import org.apache.tinkerpop.shaded.jackson.core.StreamReadConstraints;
import org.apache.tinkerpop.shaded.jackson.databind.ObjectMapper;
import org.apache.tinkerpop.shaded.jackson.databind.SerializationFeature;
import
org.apache.tinkerpop.shaded.jackson.databind.jsontype.TypeResolverBuilder;
@@ -61,18 +63,21 @@ import java.util.UUID;
* @author Stephen Mallette (http://stephen.genoprime.com)
*/
public class GraphSONMapper implements Mapper<ObjectMapper> {
+ public static final int DEFAULT_MAX_NUMBER_LENGTH = 10000;
private final List<SimpleModule> customModules;
private final boolean loadCustomSerializers;
private final boolean normalize;
private final GraphSONVersion version;
private final TypeInfo typeInfo;
+ private final StreamReadConstraints streamReadConstraints;
private GraphSONMapper(final Builder builder) {
this.customModules = builder.customModules;
this.loadCustomSerializers = builder.loadCustomModules;
this.normalize = builder.normalize;
this.version = builder.version;
+ this.streamReadConstraints =
builder.streamReadConstraintsBuilder.build();
if (null == builder.typeInfo)
this.typeInfo = builder.version == GraphSONVersion.V1_0 ?
TypeInfo.NO_TYPES : TypeInfo.PARTIAL_TYPES;
@@ -82,7 +87,7 @@ public class GraphSONMapper implements Mapper<ObjectMapper> {
@Override
public ObjectMapper createMapper() {
- final ObjectMapper om = new ObjectMapper();
+ final ObjectMapper om = new
ObjectMapper(JsonFactory.builder().streamReadConstraints(streamReadConstraints).build());
om.disable(SerializationFeature.FAIL_ON_EMPTY_BEANS);
final GraphSONModule graphSONModule =
version.getBuilder().create(normalize);
@@ -174,6 +179,7 @@ public class GraphSONMapper implements Mapper<ObjectMapper>
{
builder.loadCustomModules = mapper.loadCustomSerializers;
builder.normalize = mapper.normalize;
builder.typeInfo = mapper.typeInfo;
+ builder.streamReadConstraintsBuilder =
mapper.streamReadConstraints.rebuild();
return builder;
}
@@ -200,6 +206,8 @@ public class GraphSONMapper implements Mapper<ObjectMapper>
{
private List<IoRegistry> registries = new ArrayList<>();
private GraphSONVersion version = GraphSONVersion.V3_0;
private boolean includeDefaultXModule = false;
+ private StreamReadConstraints.Builder streamReadConstraintsBuilder =
StreamReadConstraints.builder()
+ .maxNumberLength(DEFAULT_MAX_NUMBER_LENGTH);
/**
* GraphSON 2.0/3.0 should have types activated by default (3.0 does
not have a typeless option), and 1.0
@@ -279,6 +287,21 @@ public class GraphSONMapper implements
Mapper<ObjectMapper> {
return this;
}
+ public Builder maxNumberLength(final int maxNumLength) {
+ this.streamReadConstraintsBuilder.maxNumberLength(maxNumLength);
+ return this;
+ }
+
+ public Builder maxNestingDepth(final int maxNestingDepth) {
+ this.streamReadConstraintsBuilder.maxNestingDepth(maxNestingDepth);
+ return this;
+ }
+
+ public Builder maxStringLength(final int maxStringLength) {
+ this.streamReadConstraintsBuilder.maxStringLength(maxStringLength);
+ return this;
+ }
+
public GraphSONMapper create() {
registries.forEach(registry -> {
final List<Pair<Class, SimpleModule>> simpleModules =
registry.find(GraphSONIo.class, SimpleModule.class);
diff --git
a/gremlin-core/src/test/java/org/apache/tinkerpop/gremlin/structure/io/graphson/GraphSONStreamConstraintsTest.java
b/gremlin-core/src/test/java/org/apache/tinkerpop/gremlin/structure/io/graphson/GraphSONStreamConstraintsTest.java
new file mode 100644
index 0000000000..a096546f2b
--- /dev/null
+++
b/gremlin-core/src/test/java/org/apache/tinkerpop/gremlin/structure/io/graphson/GraphSONStreamConstraintsTest.java
@@ -0,0 +1,93 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.tinkerpop.gremlin.structure.io.graphson;
+
+import org.apache.tinkerpop.shaded.jackson.core.exc.StreamConstraintsException;
+import org.apache.tinkerpop.shaded.jackson.databind.JsonMappingException;
+import org.apache.tinkerpop.shaded.jackson.databind.ObjectMapper;
+import org.junit.Test;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertThrows;
+import static org.junit.Assert.assertTrue;
+
+public class GraphSONStreamConstraintsTest extends AbstractGraphSONTest{
+
+ final ObjectMapper defaultMapper =
GraphSONMapper.build().create().createMapper();
+
+ @Test
+ public void testMaxNumberLengthConfig() throws Exception {
+ final int serializedData = 1000;
+
+ final ObjectMapper mapper =
GraphSONMapper.build().maxNumberLength(2).create().createMapper();
+
+ // should pass with default serializer config
+ assertEquals((Integer)serializedData,
serializeDeserializeAuto(defaultMapper, serializedData));
+
+ // should fail with small limit config
+ final Exception exception = assertThrows(JsonMappingException.class,
() -> {
+ serializeDeserializeAuto(mapper, serializedData);
+ });
+ assertTrue("Expected StreamConstraintsException for exceeding max
number length, found: "+exception.getMessage(),
+
exception.getMessage().contains("org.apache.tinkerpop.shaded.jackson.core.exc.StreamConstraintsException:
Number length")
+ && exception.getMessage().contains("exceeds the maximum length
(2)"));
+ }
+
+ @Test
+ public void testMaxStringLengthConfig() throws Exception {
+ final String serializedData = "This string is more than 20 chars long";
+
+ final ObjectMapper mapper =
GraphSONMapper.build().maxStringLength(20).create().createMapper();
+
+ // should pass with default serializer config
+ assertEquals(serializedData, serializeDeserializeAuto(defaultMapper,
serializedData));
+
+ // should fail with small limit config
+ final Exception exception =
assertThrows(StreamConstraintsException.class, () -> {
+ serializeDeserializeAuto(mapper, serializedData);
+ });
+ assertTrue("Expected StreamConstraintsException for exceeding max
String length, found: "+exception.getMessage(),
+ exception.getMessage().contains("String length")
+ && exception.getMessage().contains("exceeds the
maximum length (20)"));
+ }
+
+ @Test
+ public void testMaxNestingDepthConfig() throws Exception {
+ final Map<String, Object> serializedData = new HashMap<>();
+ serializedData.put(
+ "key1", new HashMap<>().put(
+ "key2", new HashMap<>().put(
+ "key3", "val1")));
+ final ObjectMapper mapper =
GraphSONMapper.build().maxNestingDepth(1).create().createMapper();
+
+ // should pass with default serializer config
+ assertEquals(serializedData, serializeDeserializeAuto(defaultMapper,
serializedData));
+
+ // should fail with small limit config
+ final Exception exception = assertThrows(JsonMappingException.class,
() -> {
+ serializeDeserializeAuto(mapper, serializedData);
+ });
+ assertTrue("Expected StreamConstraintsException for exceeding max
nesting depth, found: "+exception.getMessage(),
+
exception.getMessage().contains("org.apache.tinkerpop.shaded.jackson.core.exc.StreamConstraintsException:
Depth")
+ && exception.getMessage().contains("exceeds the
maximum allowed nesting depth (1)"));
+ }
+}
diff --git
a/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/ser/AbstractGraphSONMessageSerializerV1d0.java
b/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/ser/AbstractGraphSONMessageSerializerV1d0.java
index 31ccf88995..d605b7662a 100644
---
a/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/ser/AbstractGraphSONMessageSerializerV1d0.java
+++
b/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/ser/AbstractGraphSONMessageSerializerV1d0.java
@@ -75,6 +75,7 @@ public abstract class AbstractGraphSONMessageSerializerV1d0
extends AbstractMess
public void configure(final Map<String, Object> config, final Map<String,
Graph> graphs) {
final GraphSONMapper.Builder initialBuilder = initBuilder(null);
addIoRegistries(config, initialBuilder);
+ applyMaxTokenLimits(initialBuilder, config);
mapper = configureBuilder(initialBuilder).create().createMapper();
}
@@ -154,6 +155,21 @@ public abstract class
AbstractGraphSONMessageSerializerV1d0 extends AbstractMess
.version(GraphSONVersion.V1_0);
}
+ private GraphSONMapper.Builder applyMaxTokenLimits(final
GraphSONMapper.Builder builder, final Map<String, Object> config) {
+ if(config != null) {
+ if(config.containsKey("maxNumberLength")) {
+ builder.maxNumberLength((int)config.get("maxNumberLength"));
+ }
+ if(config.containsKey("maxStringLength")) {
+ builder.maxStringLength((int)config.get("maxStringLength"));
+ }
+ if(config.containsKey("maxNestingDepth")) {
+ builder.maxNestingDepth((int)config.get("maxNestingDepth"));
+ }
+ }
+ return builder;
+ }
+
@Override
public ObjectMapper getMapper() {
return this.mapper;
diff --git
a/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/ser/AbstractGraphSONMessageSerializerV2d0.java
b/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/ser/AbstractGraphSONMessageSerializerV2d0.java
index 1caf284dac..1ac3634d9e 100644
---
a/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/ser/AbstractGraphSONMessageSerializerV2d0.java
+++
b/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/ser/AbstractGraphSONMessageSerializerV2d0.java
@@ -75,6 +75,7 @@ public abstract class AbstractGraphSONMessageSerializerV2d0
extends AbstractMess
public void configure(final Map<String, Object> config, final Map<String,
Graph> graphs) {
final GraphSONMapper.Builder initialBuilder = initBuilder(null);
addIoRegistries(config, initialBuilder);
+ applyMaxTokenLimits(initialBuilder, config);
mapper = configureBuilder(initialBuilder).create().createMapper();
}
@@ -145,6 +146,21 @@ public abstract class
AbstractGraphSONMessageSerializerV2d0 extends AbstractMess
.version(GraphSONVersion.V2_0);
}
+ private GraphSONMapper.Builder applyMaxTokenLimits(final
GraphSONMapper.Builder builder, final Map<String, Object> config) {
+ if(config != null) {
+ if(config.containsKey("maxNumberLength")) {
+ builder.maxNumberLength((int)config.get("maxNumberLength"));
+ }
+ if(config.containsKey("maxStringLength")) {
+ builder.maxStringLength((int)config.get("maxStringLength"));
+ }
+ if(config.containsKey("maxNestingDepth")) {
+ builder.maxNestingDepth((int)config.get("maxNestingDepth"));
+ }
+ }
+ return builder;
+ }
+
@Override
public ObjectMapper getMapper() {
return this.mapper;
diff --git
a/gremlin-driver/src/test/java/org/apache/tinkerpop/gremlin/driver/ClusterConfigTest.java
b/gremlin-driver/src/test/java/org/apache/tinkerpop/gremlin/driver/ClusterConfigTest.java
new file mode 100644
index 0000000000..4e47684dd7
--- /dev/null
+++
b/gremlin-driver/src/test/java/org/apache/tinkerpop/gremlin/driver/ClusterConfigTest.java
@@ -0,0 +1,72 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.tinkerpop.gremlin.driver;
+
+import org.apache.commons.configuration2.BaseConfiguration;
+import org.apache.commons.configuration2.Configuration;
+import org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV2d0;
+import org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV3d0;
+import org.apache.tinkerpop.shaded.jackson.core.StreamReadConstraints;
+import org.junit.Test;
+
+import java.util.Arrays;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+public class ClusterConfigTest {
+
+ @Test
+ public void shouldPropagateSerializerConstraintsForGraphSON3() {
+ final Configuration config = new BaseConfiguration();
+ config.setProperty("serializer.config.maxNumberLength", 999);
+ config.setProperty("serializer.config.maxStringLength", 123456);
+ config.setProperty("serializer.config.maxNestingDepth", 55);
+ config.setProperty("hosts", Arrays.asList("localhost"));
+
+ config.setProperty("serializer.className",
GraphSONMessageSerializerV3d0.class.getCanonicalName());
+ final Cluster cluster = Cluster.open(config);
+ assertTrue(cluster.getSerializer() instanceof
GraphSONMessageSerializerV3d0);
+ final GraphSONMessageSerializerV3d0 serV3 =
(GraphSONMessageSerializerV3d0) cluster.getSerializer();
+ final StreamReadConstraints constraints =
serV3.getMapper().getFactory().streamReadConstraints();
+
+ assertEquals(999, constraints.getMaxNumberLength());
+ assertEquals(123456, constraints.getMaxStringLength());
+ assertEquals(55, constraints.getMaxNestingDepth());
+ }
+
+ @Test
+ public void shouldPropagateSerializerConstraintsForGraphSON2() {
+ final Configuration config = new BaseConfiguration();
+ config.setProperty("serializer.config.maxNumberLength", 999);
+ config.setProperty("serializer.config.maxStringLength", 123456);
+ config.setProperty("serializer.config.maxNestingDepth", 55);
+ config.setProperty("hosts", Arrays.asList("localhost"));
+
+ config.setProperty("serializer.className",
GraphSONMessageSerializerV2d0.class.getCanonicalName());
+ final Cluster cluster = Cluster.open(config);
+ assertTrue(cluster.getSerializer() instanceof
GraphSONMessageSerializerV2d0);
+ final GraphSONMessageSerializerV2d0 serV2 =
(GraphSONMessageSerializerV2d0) cluster.getSerializer();
+ final StreamReadConstraints constraints =
serV2.getMapper().getFactory().streamReadConstraints();
+
+ assertEquals(999, constraints.getMaxNumberLength());
+ assertEquals(123456, constraints.getMaxStringLength());
+ assertEquals(55, constraints.getMaxNestingDepth());
+ }
+}
diff --git
a/gremlin-driver/src/test/java/org/apache/tinkerpop/gremlin/driver/ser/AbstractGraphSONMessageSerializerV1d0Test.java
b/gremlin-driver/src/test/java/org/apache/tinkerpop/gremlin/driver/ser/AbstractGraphSONMessageSerializerV1d0Test.java
new file mode 100644
index 0000000000..bde78166d0
--- /dev/null
+++
b/gremlin-driver/src/test/java/org/apache/tinkerpop/gremlin/driver/ser/AbstractGraphSONMessageSerializerV1d0Test.java
@@ -0,0 +1,53 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.tinkerpop.gremlin.driver.ser;
+
+import org.apache.tinkerpop.gremlin.structure.io.graphson.GraphSONMapper;
+import org.apache.tinkerpop.shaded.jackson.core.StreamReadConstraints;
+import org.junit.Test;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.junit.Assert.assertEquals;
+
+public class AbstractGraphSONMessageSerializerV1d0Test {
+ @Test
+ public void shouldApplyMaxTokenLengthsOnConfigure() {
+ // Initialize bare-bones AbstractGraphSONMessageSerializerV1d0
+ final AbstractGraphSONMessageSerializerV1d0 serializer = new
AbstractGraphSONMessageSerializerV1d0() {
+ @Override byte[] obtainHeader() { return new byte[0]; }
+ @Override GraphSONMapper.Builder
configureBuilder(GraphSONMapper.Builder builder) { return builder;}
+ @Override public String[] mimeTypesSupported() {return new
String[0]; }
+ };
+
+ final Map<String, Object> config = new HashMap<>();
+ config.put("maxNumberLength", 999);
+ config.put("maxStringLength", 12345);
+ config.put("maxNestingDepth", 55);
+
+ serializer.configure(config, null);
+
+ final StreamReadConstraints constraints =
serializer.getMapper().getFactory().streamReadConstraints();
+
+ assertEquals(999, constraints.getMaxNumberLength());
+ assertEquals(12345, constraints.getMaxStringLength());
+ assertEquals(55, constraints.getMaxNestingDepth());
+ }
+}
diff --git
a/gremlin-driver/src/test/java/org/apache/tinkerpop/gremlin/driver/ser/AbstractGraphSONMessageSerializerV2d0Test.java
b/gremlin-driver/src/test/java/org/apache/tinkerpop/gremlin/driver/ser/AbstractGraphSONMessageSerializerV2d0Test.java
new file mode 100644
index 0000000000..d0c825ff62
--- /dev/null
+++
b/gremlin-driver/src/test/java/org/apache/tinkerpop/gremlin/driver/ser/AbstractGraphSONMessageSerializerV2d0Test.java
@@ -0,0 +1,53 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.tinkerpop.gremlin.driver.ser;
+
+import org.apache.tinkerpop.gremlin.structure.io.graphson.GraphSONMapper;
+import org.apache.tinkerpop.shaded.jackson.core.StreamReadConstraints;
+import org.junit.Test;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.junit.Assert.assertEquals;
+
+public class AbstractGraphSONMessageSerializerV2d0Test {
+ @Test
+ public void shouldApplyMaxTokenLengthsOnConfigure() {
+ // Initialize bare-bones AbstractGraphSONMessageSerializerV1d0
+ final AbstractGraphSONMessageSerializerV2d0 serializer = new
AbstractGraphSONMessageSerializerV2d0() {
+ @Override byte[] obtainHeader() { return new byte[0]; }
+ @Override GraphSONMapper.Builder
configureBuilder(GraphSONMapper.Builder builder) { return builder;}
+ @Override public String[] mimeTypesSupported() {return new
String[0]; }
+ };
+
+ final Map<String, Object> config = new HashMap<>();
+ config.put("maxNumberLength", 999);
+ config.put("maxStringLength", 12345);
+ config.put("maxNestingDepth", 55);
+
+ serializer.configure(config, null);
+
+ final StreamReadConstraints constraints =
serializer.getMapper().getFactory().streamReadConstraints();
+
+ assertEquals(999, constraints.getMaxNumberLength());
+ assertEquals(12345, constraints.getMaxStringLength());
+ assertEquals(55, constraints.getMaxNestingDepth());
+ }
+}
diff --git a/gremlin-shaded/pom.xml b/gremlin-shaded/pom.xml
index 9181d11a4e..4500f6a076 100644
--- a/gremlin-shaded/pom.xml
+++ b/gremlin-shaded/pom.xml
@@ -48,7 +48,7 @@ limitations under the License.
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
- <version>2.14.0</version>
+ <version>2.15.2</version>
<optional>true</optional>
</dependency>
</dependencies>
diff --git a/pom.xml b/pom.xml
index 6b2d35c66c..13979bc5c2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -653,7 +653,10 @@ limitations under the License.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-shade-plugin</artifactId>
- <version>3.2.4</version>
+ <version>3.4.1</version>
+ <configuration>
+
<createDependencyReducedPom>false</createDependencyReducedPom>
+ </configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
