From e39d1a46f8dc4e29f22ad91ce4b71b5c28bd7df2 Mon Sep 17 00:00:00 2001 From: Beinan Wang Date: Fri, 3 Jun 2022 16:35:31 -0700 Subject: [PATCH 1/2] Fix the security vulnerability from jackcon databind --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index ad7c4b4fb6ae..54a2398e83e9 100644 --- a/pom.xml +++ b/pom.xml @@ -152,7 +152,7 @@ 3.19.2 UTF-8 1.7.30 - 2.11.1 + 2.13.3 3.1.0-5.8.5 5.6.19 2 From 5863c4f4e40c917d3ffad92a049572af958104bd Mon Sep 17 00:00:00 2001 From: Beinan Wang Date: Fri, 3 Jun 2022 23:41:19 -0700 Subject: [PATCH 2/2] Exclude null or empty values for xml encoding --- .../java/alluxio/proxy/s3/CompleteMultipartUploadResult.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/core/server/proxy/src/main/java/alluxio/proxy/s3/CompleteMultipartUploadResult.java b/core/server/proxy/src/main/java/alluxio/proxy/s3/CompleteMultipartUploadResult.java index 7d2ec01011eb..5920d69f862c 100644 --- a/core/server/proxy/src/main/java/alluxio/proxy/s3/CompleteMultipartUploadResult.java +++ b/core/server/proxy/src/main/java/alluxio/proxy/s3/CompleteMultipartUploadResult.java @@ -11,6 +11,7 @@ package alluxio.proxy.s3; +import com.fasterxml.jackson.annotation.JsonInclude; import com.fasterxml.jackson.annotation.JsonPropertyOrder; import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty; import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlRootElement; @@ -24,6 +25,7 @@ */ @JacksonXmlRootElement(localName = "CompleteMultipartUploadResult") @JsonPropertyOrder({ "Location", "Bucket", "Key", "ETag" }) +@JsonInclude(JsonInclude.Include.NON_EMPTY) public class CompleteMultipartUploadResult { /* The URI that identifies the newly created object. */ private String mLocation;