TopQuadrant/MauiServer

Remove dependency on jackson-databind

Opened this issue · 1 comments

cygri commented

Maui Server should abandon the use of jackson-databind and use some other JSON library instead.

There has been an ongoing stream of vulnerability reports for jackson-databind. These vulnerabilities don't affect Maui Server as it doesn't make use of Jackson's object mapper capabilities. But automated vulnerability scanners pick up on the use of these vulnerable dependencies, and their reports cast doubt on the security of Maui Server.

My preference for a replacement would be javax.json as it's the closest to being a part of the standard library, doesn't include an object mapper that Maui Server doesn't need, and has some interesting capabilities like support for JSON Pointer and JSON Patch that could potentially be useful.

cygri commented

Well, it turns out that javax.json is stupid and I will abandon the effort to migrate to it. It doesn't provide a mutable representation of a JSON object, only an immutable JsonObject and a Builder pattern for creating them. This turns out to be a deal breaker. There are numerous places in the Maui Server code where, while assembling a JSON response, we want to look at the bits that have already been added to the response by other parts of the system. These all would need to be rewritten and it's super tedious. When I'm starting to create my own Map<String,JsonValue> objects to work around the limitations of the library, then it's time to admit I made a bad choice.