Validate JSON strings during parsing #1444
Replies: 2 comments 6 replies
-
|
Subclassing can be hard - definitely needs good unit tests of the subclass and its usage to make sure that when you do upgrade Jackson libs that issues are caught. Could you provide some or all of your subclassing code so that it can be reviewed? |
Beta Was this translation helpful? Give feedback.
-
yep, that's exactly why I'd really like to avoid it.
The issue is: How do I test for things I don't know about? I do have tests that cover the validation in various string positions in JSON, but who knows what weird streaming performance special case the new method would be for? Here is my code (kotlin): https://gist.github.com/pschichtel/31bd3099ce4d4b149fec45740e5df848/9ff2d4507bf77fbace76c4e4ca8a097b9e1463b1 |
Beta Was this translation helpful? Give feedback.
-
|
An updated version using |
Beta Was this translation helpful? Give feedback.
-
|
I would strongly advise against sub-classing; it will be fragile, even beyond being difficult/lots of work to implement initially (both of which you are aware of, just reiterating). But I am thinking this: might be something that -- if implemented -- could work here: instead of changing String value, registered handler could throw an exception |
Beta Was this translation helpful? Give feedback.
-
|
Oh, also, existing might give ideas as well (wrt use of |
Beta Was this translation helpful? Give feedback.
-
yeah, I'm already using that, it helps, but not to the point where it isn't fragile. #355 does indeed sound like something that would work. I did have a look at If you have another trick up your sleeve to simplify my JsonFactory wrapper I would be almost happy with this tbh. |
Beta Was this translation helpful? Give feedback.
-
|
ok that version breaks some things unrelated to the validation: |
Beta Was this translation helpful? Give feedback.
-
|
If there's a bug in state handling, a bug report would be useful: over time we have fixed quite a few cases but it is complicated thing. Although in your case there shouldn't be too many complications as you are not actually filtering anything. :-/ |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi everyone!
I have applications that have a lot JSON-based REST endpoints that receive quite a bit of traffic. I have a use-case to generically reject any JSON payloads, that contain strings with certain patterns in side (think of it like automated intrusion detection by looking for e.g. SQL injection patterns). The applications primarily use jackson-databind through ObjectMappers.
I'm looking for a way to provide a special ObjectMapper to the applications, that automatically validates strings during parsing and, if something illegal is detected, throws a JsonParseException.
I have considered subclassing JsonFactoryBuilder, JsonFactory and JsonParser, such that I can build an ObjectMapper that uses my JsonParser subclass which validates strings produced by getText, nextTextValue, ....
While that does work and seems to have the performance characteristics that I'm looking for, the implementation is rather clunky. I have to implement 5 different methods (if that's even all) in JsonParser and 8 methods plus 2 constructors in JsonFactory. If I now update to a newer version of jackson, there might be new methods, that need to be overridden, but aren't, leading to gaps in the validation.
It would be nice to be able to supply some form of visitor that gets called for primitives and completed arrays/objects during the parsing process.
Is something like this already possible?
Beta Was this translation helpful? Give feedback.
All reactions