oswaldobapvicjr / jsonmerge Goto Github PK

Describe the bug
JsonProviderFactory throws a NoClassDefFoundError for an optional (not required) JsonProvider not in the classpath during class loading.

To Reproduce
Steps to reproduce the behavior:

1. Import jsonmerge with no optional dependency.
2. Create a new JsonMerger without specifying a concrete Provider (declare a JSON object type instead):

JsonMerger<JsonObject> merger = new JsonMerger<>(JsonObject.class);

Expected behavior
A new JsonMerger with the JsonSmartJsonProvider attached should be created and delivered.

Screenshots
N/A

Additional context
N/A

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
Based on the fluent API proposed on #6, add new methods to configure fine options to be applied during the merge of arrays identified by a valid JsonPath:

For example (suggested API improvement):

// Explicitly describe the current behavior applied when no MergeOption is provided
MergeOption.onPath("$.myArray")
           .addDistinctObjectsOnly(); // avoid duplicate objects in the array

// Add new option
MergeOption.onPath("$.myArray")
           .addAll(); // additional option where duplicates must be kept

Describe alternatives you've considered
N/A

Additional context
N/a

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
Add new JsonProvider implementation to Vert.x's JsonObject.

Describe alternatives you've considered
N/A

Additional context
vert.x is a toolkit for reactive programming created by the developers of Eclipse. It's used by 1K+ open source projects in Maven Central. And it encapsulates a special JsonObject implementation used by that framework.

<!-- https://mvnrepository.com/artifact/io.vertx/vertx-core -->
<dependency>
    <groupId>io.vertx</groupId>
    <artifactId>vertx-core</artifactId>
    <version>4.3.3</version>
</dependency>

This enhancement aims to provide JSON Merge to work seamlessly with the JsonObject handled by the vert.x framework.

The new dependency shall be optional to avoid an unnecessary dependency on applications that do not use vert.x.

Tasks

• Add vert.x dependency (optional) to the jsonmerge-core project.
• Create a new JsonProvider implementation named VertxJsonProvider
• Create JUnit test suite VertxJsonProviderTest
• Create JUnit test suite JsonMergerVertxJsonProvider extending JsonMergerTest to secure that all tests available for the other providers may pass for the new provider as well
• Update README.md with new provider information

Impact

Affected versions of net.minidev:json-smart are vulnerable to Denial of Service (DoS) due to a StackOverflowError when parsing a deeply nested JSON array or object.

When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the 3PP does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.

Patches

This vulnerability was fixed in json-smart version 2.4.9, but the maintainer recommends upgrading to 2.4.10, due to a remaining bug.

Workarounds

N/A

References

• https://www.cve.org/CVERecord?id=CVE-2023-1370
• https://nvd.nist.gov/vuln/detail/CVE-2023-1370
• https://security.snyk.io/vuln/SNYK-JAVA-NETMINIDEV-3369748

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
Currently, when two objects are identified as the same using the provided distinct keys in an array, the algorithm picks the object from the higher-precedence JSON. However, it could be interesting to have an option to do a deep merge of local objects too, by accepting a new parameter.

For example (suggested API improvement):

// Current option, but with chained calls for better usability
MergeOption.onPath("$.myArray")
           .findObjectsIdentifiedBy("id", "version")
           .thenPickTheHigherPrecedenceOne();

// New option
MergeOption.onPath("$.myArray")
           .findObjectsIdentifiedBy("id", "version")
           .thenDoADeepMerge(); //merge the two with the same distinct keys

Describe alternatives you've considered
N/A

Additional context
N/a

Tasks list

• Implement builder with fluent API for JsonMergeOption
• Add new flag for deep merge
• Apply deep merge logic
• Secure functionality of legacy logic
• Add new JUnits
• Javadoc