Add system properties to configure Jackson's stream read constraints #15720
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
edmocosta
changed the title
edmocosta
changed the title
edmocosta
changed the title
jsvd
reviewed
Jan 8, 2024
|
Please backport to 8.12 after merging. |
|
💚 Build Succeeded
History
|
|
@logstashmachine backport 8.12 |
5 tasks
jsvd
pushed a commit
that referenced
this pull request
Jan 8, 2024
…15720) (#15763) This commit added a few jvm.options properties to configure the Jackson read constraints defaults (Maximum Number value length, Maximum String value length, and Maximum Nesting depth). (cherry picked from commit a21ced0) Co-authored-by: Edmo Vamerlatti Costa <11836452+edmocosta@users.noreply.github.com>
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Release notes
Added
jvm.optionsproperties to configure the Jackson read constraints defaults (Maximum Number value length, Maximum String value length, and Maximum Nesting depth).What does this PR do?
This PR adds 3 new custom system properties into the
jvm.options. Those new properties are used to fine-tune the default Jackson stream read constraints values, which are used by Jackson to guard against malicious input by preventing processing of too big inputs. The added properties can be found here.The intention of early set the Jackson defaults during the startup (
runner.rb) was to ensure that all Logstash's functionalities that rely on Jackson are using those settings values.Why is it important/What is the impact to the user?
Although the Jackson's defaults works for the majority of users, it might be too restrictive - and a blocker - for pipelines receiving big payload requests or with a deeper level of nested objects.
Having the possibility of tuning those properties is essential to unblock users with that use-case and for a more accurate guard against malicious inputs.
Checklist
How to test this PR locally
-Dlogstash.jackson.stream-read-constraints.max-string-length=2beatsinputcom.fasterxml.jackson.core.exc.StreamConstraintsException: String length (24) exceeds the maximum length (2)Related issues