spray-json v1.3.5 Release Notes

Release Date: 2018-11-08 // about 6 years ago
  • ๐Ÿ‘€ See the milestone for all changes.

    ๐Ÿ”’ Security fix for several Denial Of Service vulnerabilities:

    • ๐Ÿ“œ CVE-2018-18853: Limit the number of characters for numbers in the parser (#278)
    • CVE-2018-18854: Use TreeMap instead of HashMap for JsObject to prevent collision attacks (#277)
    • ๐Ÿ“œ CVE-2018-18855: Fix uncontrolled recursion in parser by limiting nesting depth (#286)

    Thanks, Andriy Plokhotnyuk who brought the first two issues to our attention.

    Migration Notes

    ๐Ÿ“œ For some fixes, we added new limits to the parser:

    • 0๏ธโƒฃ Maximum depth of nested JSON values, defaults to 1000
    • 0๏ธโƒฃ Maximum characters for number values, defaults to 100

    ๐Ÿ“œ We introduced a JsonParserSettings class which can be used to customize these limits. New overloads for JsonParser.apply and String.parseJson have been introduced to specify custom settings.

    ๐Ÿ–จ Also, field ordering changed when printing a JsValue. Use jsValue.sortedPrint if you want to be sure fields are always ordered the same.