spray-json v1.3.6 Release NotesRelease Date: 2020-11-10 // about 2 years ago
Previous changes from v1.3.5
👀 See the milestone for all changes.
🔒 Security fix for several Denial Of Service vulnerabilities:
- 📜 CVE-2018-18853: Limit the number of characters for numbers in the parser (#278)
- CVE-2018-18854: Use TreeMap instead of HashMap for JsObject to prevent collision attacks (#277)
- 📜 CVE-2018-18855: Fix uncontrolled recursion in parser by limiting nesting depth (#286)
Thanks, Andriy Plokhotnyuk who brought the first two issues to our attention.
📜 For some fixes, we added new limits to the parser:
- 0️⃣ Maximum depth of nested JSON values, defaults to 1000
- 0️⃣ Maximum characters for number values, defaults to 100
📜 We introduced a
JsonParserSettingsclass which can be used to customize these limits. New overloads for
String.parseJsonhave been introduced to specify custom settings.
🖨 Also, field ordering changed when printing a
jsValue.sortedPrintif you want to be sure fields are always ordered the same.