spray-json v1.3.6 Release Notes
Release Date: 2020-11-10 // about 4 years agoPrevious changes from v1.3.5
-
๐ See the milestone for all changes.
๐ Security fix for several Denial Of Service vulnerabilities:
- ๐ CVE-2018-18853: Limit the number of characters for numbers in the parser (#278)
- CVE-2018-18854: Use TreeMap instead of HashMap for JsObject to prevent collision attacks (#277)
- ๐ CVE-2018-18855: Fix uncontrolled recursion in parser by limiting nesting depth (#286)
Thanks, Andriy Plokhotnyuk who brought the first two issues to our attention.
Migration Notes
๐ For some fixes, we added new limits to the parser:
- 0๏ธโฃ Maximum depth of nested JSON values, defaults to 1000
- 0๏ธโฃ Maximum characters for number values, defaults to 100
๐ We introduced a
JsonParserSettings
class which can be used to customize these limits. New overloads forJsonParser.apply
andString.parseJson
have been introduced to specify custom settings.๐จ Also, field ordering changed when printing a
JsValue
. UsejsValue.sortedPrint
if you want to be sure fields are always ordered the same.