Stack Overflow (Criteria.parse) with JsonPath #1772
Comments
|
Correct me if I'm wrong, but as far as I understand the issue wouldn't be exposed through DGS. We don't take user input directly that goes through JsonPath. It's only when using the Once there is a patch for the library we'll update it, but I don't think there's any action to take now. |
|
That's good to hear. I did notice however, that after fully excluding the dependency it does cause But I agree, looking at what's happening in I'll convey the message as I was just forwarding the question from client. |
|
It’s definitely there, but there is no code path to trigger the issue
…On Tue, Jan 9, 2024 at 10:37 AM Martin Visser ***@***.***> wrote:
That's good to hear. I did notice however, that after fully excluding the
dependency it does cause NoClassDefFoundError:
com/jayway/jsonpath/Configuration, so it used outside of tests too.
java.lang.NoClassDefFoundError: com/jayway/jsonpath/Configuration
at com.netflix.graphql.dgs.client.GraphQLResponse.<clinit>(GraphQLResponse.kt:131)
at com.netflix.graphql.dgs.client.WebClientGraphQLClient.handleResponse(WebClientGraphQLClient.kt:146)
at com.netflix.graphql.dgs.client.WebClientGraphQLClient.access$handleResponse(WebClientGraphQLClient.kt:42)
at com.netflix.graphql.dgs.client.WebClientGraphQLClient$reactiveExecuteQuery$3.invoke(WebClientGraphQLClient.kt:136)
at com.netflix.graphql.dgs.client.WebClientGraphQLClient$reactiveExecuteQuery$3.invoke(WebClientGraphQLClient.kt:136)
at com.netflix.graphql.dgs.client.WebClientGraphQLClient.reactiveExecuteQuery$lambda$3(WebClientGraphQLClient.kt:136)
...
Caused by: java.lang.ClassNotFoundException: com.jayway.jsonpath.Configuration
at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641)
at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:525)
But I agree, looking at what's happening in GraphQLResponse, this is not
the same as seen in that issue.
I'll convey the message as I was just forwarding the question from client.
—
Reply to this email directly, view it on GitHub
<#1772 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAA2XLASDFOTGTKXQ45LN6DYNWE5LAVCNFSM6AAAAABBSZ5TNOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBTGU4DGOJSGI>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
If it's only used for test, why is the dependency not scoped for test in maven/gradle? I think if that can still be done, it should not be flagged anymore by Nexus IQ. |
|
@ntenherkel But it isn't used only in test as my stack trace showed. The dependency is used in production code too. Maybe the path to that issue as stated in JsonPath isn't used in production code, but JsonPath itself is used outside test. |
|
Yes let me rephrase my suggestion. @paulbakker is it possible for the netflix developers to scope this dependency to test? Based on Martin's comment that would also mean some adjustments in the dgs-framework java/kotlin logic. My feeling is that json-path is not playing an important role in the dgs-framework. The end result having a dependency less (that is poorly maintained, CVE already open for weeks with no sight on a fix) in the jar, is also worth the attempt if you ask me. |
|
I do fully agree with that. If that would be possible, that would be a nice solution. |
|
JsonPath is used in two places:
Like SQL injection, this issue is only a problem if user input is used directly to form the jsonpath argument, which we don't do in the framework itself. We can't make JsonPath a a test-only dependency, but I don't see how the CVE would affect a DGS in general. |
According to json-path/JsonPath#973 there is a high severity issue for JsonPath. Are there any plans to deal with this?
JsonPath seems to be a dependency of the DGS client module.
The text was updated successfully, but these errors were encountered: