Shulou(Shulou.com)06/03 Report--

This article mainly introduces "Why disable FastJson". In daily operation, I believe many people have doubts about why to disable FastJson. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful for you to answer the questions of "Why disable FastJson"! Next, please follow the editor to study!

Introduction to FastJson

Fastjson is Alibaba's open source JSON parsing library, which is based on the Java language and supports the conversion between JSON format strings and JavaBean. It uses a "hypothetical ordered fast matching" algorithm to improve the performance of JSON Parse to the extreme.

Because the interface is simple and easy to use, it has been widely used in various application scenarios such as cache serialization, protocol interaction, Web output and so on.

A simple example of FastJson

First, use a simple example to demonstrate the use of FastJson. First introduce the FastJson class library into the project:

Com.alibaba fastjson 1.2.70

The version should be at least 1.2.70 or above. Why? There are too many vulnerabilities in the previous version.

To define a JavaBean, let's take User as an example:

Public class User {private String userName; private int age; private String address; / / getter/setter}

Examples of use:

Public static void main (String [] args) {String json = "{\" address\ ":\" Beijing\ ",\" age\ ": 28,\" user_name\ ":\" Tom\ "}"; / / convert json to JavaBean User user = JSONObject.parseObject (json, User.class); System.out.println (user); / / convert JavaBean to json String result = JSONObject.toJSONString (user); System.out.println (result);}

In the example, the json string is first converted into a User object through parseObject, and then the User object is converted into json through the toJSONString method. Is it very convenient to use?

At the same time, when constructing json, do you find the format "user_name" in the json string? FastJson will bind this underlined key to the hump format attribute in JavaBean by default.

Execute the program and print the results:

User (userName=Tom, age=28, address=Beijing) {"address": "Beijing", "age": 28, "userName": "Tom"}

It can be seen that the implementation was successful.

FastJson also has other commonly used API, such as:

Public static final Object parse (String text); / / parse the JSON text to JSONObject or JSONArray public static final JSONObject parseObject (String text) / parse JSON text into JSONObject public static final T parseObject (String text, Class clazz); / / parse JSON text to JavaBean public static final JSONArray parseArray (String text); / / parse JSON text into JSONArray public static final List parseArray (String text, Class clazz); / / parse JSON text into JavaBean collection public static final String toJSONString (Object object); / / serialize JavaBean into JSON text public static final String toJSONString (Object object, boolean prettyFormat) / serialize JavaBean into formatted JSON text public static final Object toJSON (Object javaObject); / / convert JavaBean to JSONObject or JSONArray.

The above API can also be realized: the conversion between json string and JSONArray, the conversion between json string and javaBean, the conversion between json string-array type and javaBean, the conversion between JavaList and JsonArray and so on.

Why did you decide to give up FastJson?

From the above example, FastJson's API is also very easy to use, and its characteristic, that is, the selling point is "fast".

Although there are all kinds of tests online that question the "speed" of FastJson, excluding the influence of testers' test cases or environment, FastJson is not slower than other similar frameworks on the market as a whole.

So what is the reason for giving up use?

Popularity degree

First of all, it is not as popular as we thought. Take a look at FastJson's Maven citation data statistics (source https://mvnrepository.com/):

Fastjson

It can be seen that FastJson ranks fourth, second only to JSON In Java, which ranks third. If you consider that most of the domestic users use Ali mirroring, then the ranking of FastJson is higher than that of Jackson, but there is still a gap.

Design and code quality

There are probably two reasons why it is not more popularized abroad: promotion (plus English documentation) and code quality.

Foreign friends do not like FastJson because they feel that the code quality is not high. There is a related article on Zhihu, although it is written in 2016, but you can also refer to it (link: https://www.zhihu.com/question/44199956).

Fastjson

For the above reasons, I personally pay more attention to the summary in the highly praised answer: "use a lot of opportunistic practices to achieve the so-called 'fast', while losing the java features that should be compatible, and not strictly following json standards."

Yes, it is precisely because this class library comes from Ali's practice, many of the initial designs are somewhat different from the standards. And it has been widely used, so it is difficult to change it at a later stage. In addition, there are frequent incompatibility upgrades.

Open source Issues

While writing this article, I took a look at the Issues of the project on GitHub, and there are a lot of problems that need to be fixed. And the version is also being updated frequently to fix and upgrade.

Fastjson

There are still 1488 questions in the Open status! Seeing here, I am really a little worried. Many people use it and ask more questions, and it may be safer on the other hand, but if there are still so many problems to be solved, it is still a bit scary.

History of vulnerability repair

At the same time, there are vulnerabilities in FastJson that have been exploited several times some time ago, and these vulnerabilities are related to an AutoType feature in FastJson.

From the release of v1.2.59 in July 2019 to the release of v1.2.71 in June 2020, there is an upgrade for AutoType in each version.

1.2.59 release, enhance the security of AutoType when opening fastjson 1.2.60 release, add AutoType blacklist, repair denial of service security problems fastjson 1.2.61 release, increase AutoType security blacklist fastjson 1.2.62 release, add AutoType blacklist, enhanced date deserialization and JSONPath fastjson 1.2.66 release, Bug repair security reinforcement, and do security reinforcement, supplement AutoType blacklist fastjson 1.2.67 release Bug repair security reinforcement, supplement AutoType blacklist fastjson 1.2.68 release, support GEOJSON, supplement AutoType blacklist. (a safeMode configuration is introduced. After configuring safeMode, autoType is not supported for both whitelist and blacklist. ) fastjson 1.2.69 release, fixed the newly found high-risk AutoType switch to bypass security vulnerabilities, supplemented the AutoType blacklist fastjson 1.2.70 release, improved compatibility, supplemented the AutoType blacklist

So what is AutoType? Why does it lead to loopholes?

Conversion of JSON framework Java objects to strings can usually be based on properties or setter/getter methods. FastJson and Jackson are done by traversing all the getter methods in the class, and Gson traverses all the properties in the class by reflection and serializes their values to json.

When a class contains an interface (or abstract class), when serializing with FastJson, the subtype is erased, leaving only the type of the interface (abstract class), so that the original type cannot be obtained during deserialization.

Therefore, FastJson introduces AutoType, which records the original type when serialized.

With the autoType feature, when FastJson deserializes a JSON string, it reads @ type into the content, attempts to deserialize the JSON content into an object, and calls its setter method. With this feature, you can construct a JSON string and use @ type to specify an attack class library that you want to use.

At this point, the study on "Why FastJson is disabled" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.