You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@johnzon.apache.org by "Romain Manni-Bucau (JIRA)" <ji...@apache.org> on 2018/04/12 15:30:00 UTC

[jira] [Commented] (JOHNZON-146) Mapper json processing should use the order in the Json, not setters

    [ https://issues.apache.org/jira/browse/JOHNZON-146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16435766#comment-16435766 ] 

Romain Manni-Bucau commented on JOHNZON-146:
--------------------------------------------

Isnt it too dangerous? The java is fully controlled by the user and he can say "read type before value" for instance, if we respect json we are open to injection and hacks pby.

> Mapper json processing should use the order in the Json, not setters
> --------------------------------------------------------------------
>
>                 Key: JOHNZON-146
>                 URL: https://issues.apache.org/jira/browse/JOHNZON-146
>             Project: Johnzon
>          Issue Type: Bug
>          Components: JSON-B, Mapper
>    Affects Versions: 1.1.5
>            Reporter: Mark Struberg
>            Assignee: Mark Struberg
>            Priority: Minor
>             Fix For: 1.1.8
>
>
> Currently we do a loop over all the getters and try to find the attribute in the JSON.
> But for deduplicateObjects handling one might end up getting a JsonPointer before the original object got processed. 
> This means that we should do it exactly the other way around: loop over the json attributes and then use the setter accordingly.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)