Updates for CVE-2023-51074 and CVE-2023-5072 #92
Conversation
Updates the org.json.json and com.jayway.jsonpath.json-path libraries which fix CVE-2023-51074 and CVE-2023-5072. Had to make code changes because the json-path library introduced a bug in the updated version which fails a few unit tests in our repo. See this PR to track the issue json-path/JsonPath#871
karen-avetisyan-mc
requested review from
danny-gallagher and
karen-avetisyan-mc
| @@ -86,4 +86,16 @@ static Object readJsonObject(DocumentContext context, String jsonPathString) { | |||
| } | |||
| return jsonElement; | |||
| } | |||
|
|
|||
| // Upgrading the json-path lib from 2.6.0 to 2.9.0 introduced a bug where when you | |||
There was a problem hiding this comment.
please remove this comment
There was a problem hiding this comment.
Sorry, I meant : remove all of this: // try to delete a non-existent key in a DocumentContext with the SUPPRESS_EXCEPTIONS flag,
// it would throw a ClassCastException. This method is a workaround for the issue.
// Once this issue is fixed this method's usages can be replaced with a simple DocumentContext.delete(path).
// Track the issue here json-path/JsonPath#870
There was a problem hiding this comment.
We could leave this comment in until this issue is fixed. It's a good way to make sure we revisit it in the future.
There was a problem hiding this comment.
Sorry, folks, I would insist that we remove this comment. There will be no reason to update this library, unless another security issue. let keep it code clean.
There was a problem hiding this comment.
removed it now.
| @@ -86,4 +86,16 @@ static Object readJsonObject(DocumentContext context, String jsonPathString) { | |||
| } | |||
| return jsonElement; | |||
| } | |||
|
|
|||
| // Upgrading the json-path lib from 2.6.0 to 2.9.0 introduced a bug where when you | |||
There was a problem hiding this comment.
Sorry, I meant : remove all of this: // try to delete a non-existent key in a DocumentContext with the SUPPRESS_EXCEPTIONS flag,
// it would throw a ClassCastException. This method is a workaround for the issue.
// Once this issue is fixed this method's usages can be replaced with a simple DocumentContext.delete(path).
// Track the issue here json-path/JsonPath#870
| @@ -86,4 +86,16 @@ static Object readJsonObject(DocumentContext context, String jsonPathString) { | |||
| } | |||
| return jsonElement; | |||
| } | |||
|
|
|||
| // Upgrading the json-path lib from 2.6.0 to 2.9.0 introduced a bug where when you | |||
There was a problem hiding this comment.
Sorry, folks, I would insist that we remove this comment. There will be no reason to update this library, unless another security issue. let keep it code clean.
joseph-neeraj
force-pushed
the
fix/CVE-2023-51074andCVE-2023-5072
branch
from
9f57f5e
to
265773d
Compare
PR checklist
mainbranchLink to issue/feature request: #90
Description
Updates the org.json.json and com.jayway.jsonpath.json-path libraries which fix CVE-2023-51074 and CVE-2023-5072.
Had to make code changes because the json-path library introduced a bug in the updated version which fails a few unit tests in our repo. See this PR to track the issue json-path/JsonPath#871