milvus-sdk-java icon indicating copy to clipboard operation
milvus-sdk-java copied to clipboard

Published 20 hours ago verified publisher icon milvus-io

Unsafe deserialization in com.alibaba:fastjson

Open king1302217 opened this issue 10 months ago • 7 comments

milvus-sdk-java rely on fastjson. This jar is unsafe to use. Can we upgrate fastjson to other jar, such as jackson or gson?

king1302217 avatar Apr 25 '24 02:04 king1302217

ok, we will try replace it in the next minor version.

yhmo avatar Apr 25 '24 09:04 yhmo

@king1302217 This article mentioned "To fully remediate CVE-2022-25845, we recommend upgrading Fastjson to the latest version, which is currently 1.2.83."

The java sdk is using this version: https://github.com/milvus-io/milvus-sdk-java/blob/64e42bf8ee7dd6ce0b6a789c45c5afc031aa987b/pom.xml#L96

So, can we say it is safe now?

yhmo avatar Apr 29 '24 10:04 yhmo

@yhmo Fastjson is forbidden to use in my company. As far as I know, this jar is forbidden in many companies. So it is better to fix it in the next version

king1302217 avatar May 06 '24 01:05 king1302217

@yhmo Our company also prohibits the use of Fastjson, and we have the same requirement. Can you optimize and upgrade it

TWSFar avatar May 06 '24 03:05 TWSFar

Currently, the com.alibaba.fastjson.JSONObject is used as input of InsertParam/UpsertParam/InsertRowsParam and output of SearchResultsWrapper/QueryResultsWrapper. If we replace it with gson.JsonObject, will cause lots of impact on users' client code.

yhmo avatar May 06 '24 06:05 yhmo

Yes, but i think it is very necessary to fix because many companies prohibit the use of Fastjson. So hope we can upgrade in next version. @yhmo

king1302217 avatar May 06 '24 07:05 king1302217

Note: The work of replacing FastJson with Gson is not ready. Today we released two new minor versions v2.3.7/v2.4.1 to fix some blocking issues. Replacing FastJson with Gson is postponed to the next minor version.

yhmo avatar May 11 '24 10:05 yhmo