Apply Jackson stream read constraints defaults at runtime #16832
Conversation
| public static final Map<Override, Integer> JACKSON_DEFAULTS = Map.of( | ||
| Override.MAX_STRING_LENGTH, 200_000_000, | ||
| Override.MAX_NUMBER_LENGTH, 10_000, | ||
| Override.MAX_NESTING_DEPTH, 1_000 |
There was a problem hiding this comment.
CODEREVIEW: I just noticed this is actually not set explicitly
Line 90 in 0eb03ad
There was a problem hiding this comment.
@edmocosta Is it intended to comment out? I think it is supposed to be uncommented
There was a problem hiding this comment.
Yes, it's intended to be commented out, at time we added those properties, 1000 was the default value already, and we haven't had any problem with that specific limit that would justify overriding it.
It seems the Jackson's team is still tuning it, and the new default value was reduced to 500 (FasterXML/jackson-core#1234). They've a good reasoning on why it was reduced (FasterXML/jackson-core#1233), but I think we can be more conservative and sticky to the well tested 1000 (at least for now). With this new code, it seems uncommenting the property wouldn't make much difference, so I'm fine with whatever you folks think is better.
There was a problem hiding this comment.
thanks, keeping the comment is good to me.
There was a problem hiding this comment.
Wow it sounds we lost consistency here as well.
Do we know till which jackson version (and LS version) we had nesting-depth with 1000 and which version decreased to 500 in which LS version? Do we have issues reported for such situation? If so, addressing separately would be good idea considering user stories.
There was a problem hiding this comment.
Wow it sounds we lost consistency here as well.
The new default value will be released in 3.0, so we should be fine now and after upgrading (thanks to this PR).
There was a problem hiding this comment.
Sorry, my comment was very ambiguous after reading it following a break 😅
My question is given we have this commented out should I remove the default from being applied. I was not suggesting we remove the example from the options file.
There was a problem hiding this comment.
Given we have this commented out should I remove the default from being applied
IMO, I'd keep it, it's a no-op for now, but knowing that Jackson will reduce this limit in the near future, setting it here would ensure that all defaults values are aligned with Logstash's requirements.
logstash-core/src/main/java/org/logstash/jackson/StreamReadConstraintsUtil.java
Outdated
Show resolved
Hide resolved
| public static final Map<Override, Integer> JACKSON_DEFAULTS = Map.of( | ||
| Override.MAX_STRING_LENGTH, 200_000_000, | ||
| Override.MAX_NUMBER_LENGTH, 10_000, | ||
| Override.MAX_NESTING_DEPTH, 1_000 |
There was a problem hiding this comment.
Wow it sounds we lost consistency here as well.
Do we know till which jackson version (and LS version) we had nesting-depth with 1000 and which version decreased to 500 in which LS version? Do we have issues reported for such situation? If so, addressing separately would be good idea considering user stories.
| @@ -78,6 +86,8 @@ StreamReadConstraints get() { | |||
| if (configuredStreamReadConstraints == null) { | |||
| final StreamReadConstraints.Builder builder = StreamReadConstraints.defaults().rebuild(); | |||
|
|
|||
| // Apply the Jackson defaults first, then the overrides from config | |||
| JACKSON_DEFAULTS.forEach((override, value) -> override.applicator.apply(builder, value)); | |||
There was a problem hiding this comment.
My biggest worry with these kind of changes is how to educate users to keep settings up to date.
- Users upgraded LS from the versions which
jvm.optionsdoesn't have Jackson default params to current change, we need to make sure to inform themjvm.optionsis not up to date. The situations,
- users who jumped from 8.12.0-, the
jvm.optionsdoesn't have - users upgraded LS multiple times (8.12.0- to 8.15.0 then 8.17.0), the
jvm.optionsmay not have jackson default params, depending on how (through package managers, or download tarball and replace) they upgrade.
- and with 1) we also need to inform LS is applying default values or user defined values are active. I think we are covering this
There was a problem hiding this comment.
I was thinking this approach removed the need for user's to worry about this at all. In all the cases you mentioned they never cared about this setting and now they can continue to not care about it. They only have to think about it if they are in a situation where they explicitly need to tune it. But maybe i'm not quite understanding your concern?
When Logstash 8.12.0 added increased Jackson stream read constraints to jvm.options, assumptions about the existence of that file's contents were invalidated. This led to issues like elastic#16683. This change ensures Logstash applies defaults from config at runtime: - MAX_STRING_LENGTH: 200_000_000 - MAX_NUMBER_LENGTH: 10_000 - MAX_NESTING_DEPTH: 1_000 These match the jvm.options defaults and are applied even when config is missing. Config values still override these defaults when present.
donoghuc
force-pushed
the
GH-16773-jackson-defaults
branch
from
42a15f2 to
7859a63
Compare
|
💛 Build succeeded, but was flaky
Failed CI Steps
History
|
Release notes
Ensure that the Jackson read constraints defaults (Maximum Number value length, Maximum String value length, and Maximum Nesting depth) are applied at runtime if they are absent from
jvm.options.What does this PR do?
When Logstash 8.12.0 added increased Jackson stream read constraints to jvm.options, assumptions about the existence of that file's contents were invalidated. This led to issues like #16683.
This change ensures Logstash applies defaults from config at runtime:
These match the jvm.options defaults and are applied even when config is missing. Config values still override these defaults when present.
Why is it important/What is the impact to the user?
Users who have custom
jvm.optionsfiles or have files that are not being updated with defaults in latest Logstash releases will still get the defaults we intend configure for the Jackson parsing lib.Checklist
[ ] I have made corresponding changes to the documentation[ ] I have made corresponding change to the default configuration files (and/or docker env variables)Related issues
Closes #16773