Yeah, I think we could move to some sort of statically generated JSON text writer— esp for the PersistenceAdapterView.java.
A quick scan shows one use of an unmarshaller (which is where most security problems come from). Perhaps we deprecate that function and convert the functionality to use a different syntax for the destination filtering. Classes using an import from com.fasterxml.jackson. ./activemq-partition/src/main/java/org/apache/activemq/partition/dto/Partitioning.java ./activemq-partition/src/main/java/org/apache/activemq/partition/dto/Target.java ./activemq-console/src/main/java/org/apache/activemq/console/command/store/StoreExporter.java ./activemq-broker/src/test/java/org/apache/activemq/broker/view/BrokerDestinationViewTest.java ./activemq-broker/src/main/java/org/apache/activemq/broker/jmx/DestinationsViewFilter.java ./activemq-broker/src/main/java/org/apache/activemq/broker/jmx/PersistenceAdapterView.java Thanks, Matt Pavlovich > On May 16, 2023, at 8:44 AM, Jean-Louis Monteiro <jlmonte...@tomitribe.com> > wrote: > > Yes I remember the discussion. > To be honest, as I was mentioning, even JSON-B/P is probably overkill for > what we need. > > Happy to craft up a PR so we can it discuss there and see if that is > feasible for 5.19.x > -- > Jean-Louis Monteiro > http://twitter.com/jlouismonteiro > http://www.tomitribe.com > > > On Tue, May 16, 2023 at 3:37 PM Matt Pavlovich <mattr...@gmail.com> wrote: > >> Hello Jean-Louis- >> >> This has come up in the past. Iirc, the discussion was leaning towards >> using json-b and then Jackson as the out-of-the-box provider. >> >> This sounds like a good change for 5.19.x line >> >> Thanks, >> -Matt Pavlovich >> >>> On May 16, 2023, at 5:17 AM, Jean-Louis Monteiro < >> jlmonte...@tomitribe.com> wrote: >>> >>> Hi all, >>> >>> Jackson seems to be frequently affected by CVEs and it's really a pain >> for >>> users. >>> >>> Looks like Jackson is only used in the WebConsole to read/write a few >>> attributes. I'm sure we can get rid of it and either use a standard API >> so >>> one can plugin any implementation, or just write down a utility class to >>> parse the small attribute we have to. >>> >>> thoughts? >>> >>> I'm happy to do a PR to remove it if that's the consensus. >>> >>> -- >>> Jean-Louis Monteiro >>> http://twitter.com/jlouismonteiro >>> http://www.tomitribe.com >> >>
