Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jackson to 2.16.1 #4134

Merged
merged 1 commit into from
Feb 28, 2024
Merged

Jackson to 2.16.1 #4134

merged 1 commit into from
Feb 28, 2024

Conversation

dlvenable
Copy link
Member

Description

Updates Jackson to 2.16.1. Jackson 2.16 now redacts input data in exceptions. So a couple tests needed modifications.

Additionally, this uses ion-java 1.10.5 which has a fix for CVE-2024-21634.

Issues Resolved

Resolves #3926

Check List

  • New functionality includes testing.
  • New functionality has a documentation issue. Please link to it in this PR.
    • New functionality has javadoc added
  • Commits are signed with a real name per the DCO

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@dlvenable
This updates Jackson to 2.16.1. This version does include a change to…
e059c83 
… redact input data in exceptions. So a couple tests needed modifications. Additionally, this uses ion-java 1.10.5 which has a fix for CVE-2024-21634, so this PR will resolve opensearch-project#3926.

Signed-off-by: David Venable <[email protected]>
asifsmohammed
asifsmohammed reviewed Feb 16, 2024
View reviewed changes
...-codecs/src/test/java/org/opensearch/dataprepper/plugins/codec/avro/AvroOutputCodecTest.java
@@ -75,7 +75,6 @@ void constructor_throws_if_schema_is_invalid() {
RuntimeException actualException = assertThrows(RuntimeException.class, this::createObjectUnderTest);

assertThat(actualException.getMessage(), notNullValue());
assertThat(actualException.getMessage(), containsString(invalidSchema));
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why did we remove this assertion?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I gave a very brief explanation in the description. Prior to Jackson 2.16, Jackson would include input data in the messages provided. Now it does not do that (by default) to avoid possible log injection or display of sensitive data. So this exception fails now as the input schema is no longer in the message.

@oeyh oeyh merged commit 1cbfdd1 into opensearch-project:main Feb 28, 2024
71 of 74 checks passed
@dlvenable dlvenable deleted the jackson-2.16 branch March 6, 2024 16:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oeyh oeyh oeyh approved these changes

@asifsmohammed asifsmohammed asifsmohammed approved these changes

@chenqi0805 chenqi0805 Awaiting requested review from chenqi0805 chenqi0805 is a code owner

@engechas engechas Awaiting requested review from engechas engechas is a code owner

@graytaylor0 graytaylor0 Awaiting requested review from graytaylor0 graytaylor0 is a code owner

@dinujoh dinujoh Awaiting requested review from dinujoh dinujoh is a code owner

@kkondaka kkondaka Awaiting requested review from kkondaka kkondaka is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CVE-2024-21634 (High) detected in ion-java-1.0.2.jar, ion-java-1.9.5.jar
3 participants
@dlvenable @oeyh @asifsmohammed