[
https://issues.apache.org/jira/browse/CALCITE-7455?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18069009#comment-18069009
]
Julian Hyde commented on CALCITE-7455:
--------------------------------------
Jackson’s ObjectMapper is able to deserialize arbitrary objects and classes,
and that is a major attack surface. We should be conservative in which
configurations we allow, and should only allow configurations that cannot
possibly access those capabilities of ObjectMapper.
Before merging any PR for this issue, let's review the security implications.
> Allow configuring ObjectMapper for JSON functions
> -------------------------------------------------
>
> Key: CALCITE-7455
> URL: https://issues.apache.org/jira/browse/CALCITE-7455
> Project: Calcite
> Issue Type: Improvement
> Components: core
> Reporter: Danylo Naumenko
> Priority: Minor
>
> JsonFunctions currently uses a hardcoded JacksonJsonProvider with the default
> ObjectMapper, so any Jackson module not registered by default is unavailable.
> For example, passing a Java object with Optional fields to JSON_OBJECT fails
> since serialization of Optional fields is not enabled by default. Registering
> Jdk8Module on the ObjectMapper fixes this, but it looks like there's no way
> to do that today.
> *Proposed solution:* provide a way to configure an ObjectMapper used by JSON
> functions.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
