Unsafe deserialization in com.alibaba:fastjson

[king1302217]

milvus-sdk-java rely on fastjson. This jar is unsafe to use. Can we upgrate fastjson to other jar, such as jackson or gson?

[yhmo]

ok, we will try replace it in the next minor version.

[yhmo]

@king1302217
This article mentioned "To fully remediate CVE-2022-25845, we recommend upgrading Fastjson to the latest version, which is currently 1.2.83."

The java sdk is using this version:

milvus-sdk-java/pom.xml

Line 96 in 64e42bf

<version.fastjson>1.2.83</version.fastjson>

So, can we say it is safe now?

[king1302217]

@yhmo Fastjson is forbidden to use in my company. As far as I know, this jar is forbidden in many companies. So it is better to fix it in the next version

[TWSFar]

@yhmo Our company also prohibits the use of Fastjson, and we have the same requirement. Can you optimize and upgrade it

[yhmo]

Currently, the com.alibaba.fastjson.JSONObject is used as input of InsertParam/UpsertParam/InsertRowsParam and output of SearchResultsWrapper/QueryResultsWrapper. If we replace it with gson.JsonObject, will cause lots of impact on users' client code.

[king1302217]

Yes, but i think it is very necessary to fix because many companies prohibit the use of Fastjson. So hope we can upgrade in next version. @yhmo

[yhmo]

Note:
The work of replacing FastJson with Gson is not ready. Today we released two new minor versions v2.3.7/v2.4.1 to fix some blocking issues.
Replacing FastJson with Gson is postponed to the next minor version.