We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
风险描述 fastjson已使用黑白名单用于防御反序列化漏洞,经研究该利用在特定条件下可绕过默认autoType关闭限制,攻击远程服务器,风险影响较大。建议fastjson用户尽快采取安全措施保障系统安全。
影响版本 特定依赖存在下影响 ≤1.2.80
具体漏洞如下 https://github.com/alibaba/fastjson/wiki/security_update_20220523 https://github.com/alibaba/fastjson/releases/tag/1.2.83
The text was updated successfully, but these errors were encountered:
感谢反馈和建议,APIJSON 不需要用到 autoType,目前临时解决方案是 DemoApplication.main 中
ParserConfig.getGlobalInstance().setSafeMode(true);
https://github.com/alibaba/fastjson/wiki/fastjson_safemode
fastjson 2.0 有重大重构,目前还不够稳定,暂不考虑在 APIJSON pom.xml 中升级到这个版本, 不过用户可以仅依赖 apijson-orm.jar(无 fastjson 等任何第三方库代码),自己工程中另外依赖 fastjson 2.0 或其它版本。
后续打算提供扩展方式,开发者可以选用其它 JSON 库
Sorry, something went wrong.
感谢 @NeoGitCrt1 帮忙升级 fastjson 到 2.0.4 👍
#401
APIJSON 已新增一个分支为 fastjson2,保留目前 master 为 fastjson1 版,两个版本同步维护,直到 fastjson2 稳定下来
No branches or pull requests
风险描述
fastjson已使用黑白名单用于防御反序列化漏洞,经研究该利用在特定条件下可绕过默认autoType关闭限制,攻击远程服务器,风险影响较大。建议fastjson用户尽快采取安全措施保障系统安全。
影响版本
特定依赖存在下影响 ≤1.2.80
具体漏洞如下
https://github.com/alibaba/fastjson/wiki/security_update_20220523
https://github.com/alibaba/fastjson/releases/tag/1.2.83
The text was updated successfully, but these errors were encountered: