[jira] [Commented] (DRILL-8415) Upgrade Jackson 2.14.3 → 2.16.1

Wed, 03 Jan 2024 00:12:03 -0800 


    [ 
https://issues.apache.org/jira/browse/DRILL-8415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17802047#comment-17802047
 ] 

ASF GitHub Bot commented on DRILL-8415:
---------------------------------------

jnturton opened a new pull request, #2866:
URL: https://github.com/apache/drill/pull/2866

   # [DRILL-8415](https://issues.apache.org/jira/browse/DRILL-8415): Upgrade 
Jackson 2.14.3 → 2.16.1
   
   ## Description
   
   The following should be investigated before merging.
   
   > There are some security focused enhancements including a new class called 
StreamReadConstraints. The defaults on 
[StreamReadConstraints](https://javadoc.io/static/com.fasterxml.jackson.core/jackson-core/2.15.0-rc1/com/fasterxml/jackson/core/StreamReadConstraints.html)
 are pretty high but it is not inconceivable that some Drill users might need 
to relax them. Parsing large strings as numbers is sub-quadratic, thus the 
default limit of 1000 chars or bytes (depending on input context).
   > 
   > When the Drill team consider upgrading to Jackson 2.15 or above, you might 
also want to consider adding some way for users to configure the 
StreamReadConstraints.
   
   ## Documentation
   N/A
   
   ## Testing
   Unit tests pass.
   




> Upgrade Jackson 2.14.3 → 2.16.1
> -------------------------------
>
>                 Key: DRILL-8415
>                 URL: https://issues.apache.org/jira/browse/DRILL-8415
>             Project: Apache Drill
>          Issue Type: Improvement
>    Affects Versions: 1.21.1
>            Reporter: PJ Fanning
>            Priority: Major
>             Fix For: 1.22.0
>
>
> I'm not advocating for an upgrade to [Jackson 
> 2.15|https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.15]. 
> 2.15.0-rc1 has just been released and 2.15.0 should be out soon.
> There are some security focused enhancements including a new class called 
> StreamReadConstraints. The defaults on 
> [StreamReadConstraints|https://javadoc.io/static/com.fasterxml.jackson.core/jackson-core/2.15.0-rc1/com/fasterxml/jackson/core/StreamReadConstraints.html]
>  are pretty high but it is not inconceivable that some Drill users might need 
> to relax them. Parsing large strings as numbers is sub-quadratic, thus the 
> default limit of 1000 chars or bytes (depending on input context).
> When the Drill team consider upgrading to Jackson 2.15 or above, you might 
> also want to consider adding some way for users to configure the 
> StreamReadConstraints.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to