[SPARK-43263][BUILD] Upgrade FasterXML jackson to 2.15.0

[bjornjorgensen]

What changes were proposed in this pull request?

Upgrade FasterXML jackson from 2.14.2 to 2.15.0

Why are the changes needed?

Upgrade Snakeyaml to 2.0 (resolves CVE-2022-1471 CVE-2022-1471 at nist

Does this PR introduce any user-facing change?

This PR introduces user-facing changes by implementing streaming read constraints in the JSONOptions class. The constraints limit the size of input constructs, improving security and efficiency when processing input data.

Users working with JSON data larger than the following default settings may need to adjust the constraints accordingly:

Maximum Number value length: 1000 characters (DEFAULT_MAX_NUM_LEN)
Maximum String value length: 5,000,000 characters (DEFAULT_MAX_STRING_LEN)
Maximum Nesting depth: 1000 levels (DEFAULT_MAX_DEPTH)
Additionally, the maximum magnitude of scale for BigDecimal to BigInteger conversion is set to 100,000 digits (MAX_BIGINT_SCALE_MAGNITUDE) and cannot be changed.

Users can customize the constraints as needed by providing the corresponding options in the parameters object. If not explicitly specified, default settings will be applied.

How was this patch tested?

Pass GA

[bjornjorgensen]

CC @pjfanning

[pjfanning]

if you use jackson 2.14.2 - you can just upgrade snakeyaml to 2.x (there is a fix in jackson 2.14.2 that makes it easier to upgrade snakeyaml dependency)

jackson 2.15.0 has extra changes that you need to worry about - see https://issues.apache.org/jira/browse/SPARK-42854

[srowen]

Looks good, just resolve the conflict and we can check tests again

[pjfanning]

@srowen CVE-2022-1471 is a snakeyaml CVE and you can upgrade snakeyaml explicitly without upgrading jackson. Jackson 2.15 applies limits on the JSON inputs it parses. It is probably not a good idea to use Jackson 2.15 without supporting overrides for these limits. See SPARK-42854.

[srowen]

Ah OK, @bjornjorgensen how about just doing snakeyaml here as an intermediate step?

[pjfanning]

Snakeyaml 1.32 introduced an approx 5mb default limit on input yaml. Spark trunk already has this change but it might be worth considering making this limit configurable using spark configs. The snakeyaml class to look for is called LoaderOptions.

[LuciferYang]

https://github.com/FasterXML/jackson-core/blob/a2c0bdcfb9aae8fca555240e63e57c1d9e6f8079/src/main/java/com/fasterxml/jackson/core/StreamReadConstraints.java#L30-L51

It seems to have added 4 constraints, but MAX_BIGINT_SCALE_MAGNITUDE is not configurable.

May be we should add corresponding configurable items to org.apache.spark.sql.catalyst.json.JSONOptions and inject them in JSONOptions#buildJsonFactory by JsonFactoryBuilder#streamReadConstraints(StreamReadConstraints).

This may handle most scenarios, but there are still some places in Spark that call new ObjectMapper(), these will using StreamReadConstraints.defaults(), but for them, using the default value may be OK(need to analyze it one by one).

If there is a problem with what I said, please correct me @pjfanning , thanks

[LuciferYang]

And will these new constraints make JSON parsing slower?

[pjfanning]

@LuciferYang your analysis summarises the situation well

[pjfanning]

And will these new constraints make JSON parsing slower?

there is no evidence of a significant performance drop

[pjfanning]

@bjornjorgensen can you engage with the comments? A few of us have basically asked for this PR to be modified or redone but not to proceed as it is.

• one option is to replace this PR with 1 that upgrades just snakeyaml and leaves jackson alone
• another option is to upgrade jackson but to also introduce new spark configs so a StreamReadConstraints can be created and set on the ObjectMapper based on the config values

[bjornjorgensen]

@pjfanning yes, sorry
I have marked it as a draft now.

[LuciferYang]

Please fix the compilation error first @bjornjorgensen thanks

[LuciferYang]

I found Update jackson-module-scala to 2.15.0 in 2.12.x in release plan of Scala 2.12.18:

https://github.com/scala/scala/milestone/99

[pjfanning]

I found Update jackson-module-scala to 2.15.0 in 2.12.x in release plan of Scala 2.12.18:

https://github.com/scala/scala/milestone/99

@LuciferYang Core Scala libs don't have a dependency on Jackson. This upgrade seems to affect a module called compilerOptionsExporter. I don't really know what that that is but I doubt whether it has much impact outside the Scala build.

[bjornjorgensen]

anyway this is my "hello world" in Scala.
What is the best way to get this forward? @LuciferYang will you take over? or..

[pjfanning]

don't make any changes yet - but @LuciferYang, are there are guidelines about to handle cases where the parameter values are not convertible to ints (.toInt fails) and where the values evaluate to negative values (which will cause an IllegalArgumentException when setting up StreamReadConstraints

[srowen]

I think this is fine. It's a niche set of configs that very few would set. If they set a bad value, a raw error is even OK.

[bjornjorgensen]

Ah OK, @bjornjorgensen how about just doing snakeyaml here as an intermediate step?

Well, upgrading SnakeYAML might work as a temporary solution, but for Spark's long-term benefit, I believe it's best to upgrade Jackson now. This will make future upgrades of Jackson much easier. Additionally, Snyk has opened two PRs to upgrade com.fasterxml.jackson.dataformat:jackson-dataformat-yaml to version 2.15.0. By upgrading Jackson now, we'll address these issues and won't receive any further request about this.

[srowen]

I think this is OK for master, as we have a safety valve for the only issue we can think of in jackson 2.15 usage, and aren't complicating anything unnecessarily by exposing those. Like, I don't think we should doc these yet.

[srowen]

I think this is fine. It's a niche set of configs that very few would set. If they set a bad value, a raw error is even OK.

[bjornjorgensen]

we can upgrade it to

 private def safeStringToInt(value: String, default: Int): Int = {
    try {
      val intValue = value.toInt
      if (intValue >= 0) intValue else default
    } catch {
      case _: NumberFormatException => default
    }
  }


  private val maxNestingDepth: Int = parameters
    .get("maxNestingDepth")
    .map(safeStringToInt(_, StreamReadConstraints.DEFAULT_MAX_DEPTH))
    .getOrElse(StreamReadConstraints.DEFAULT_MAX_DEPTH)

  private val maxNumLen: Int = parameters
    .get("maxNumLen")
    .map(safeStringToInt(_, StreamReadConstraints.DEFAULT_MAX_NUM_LEN))
    .getOrElse(StreamReadConstraints.DEFAULT_MAX_NUM_LEN)

  private val maxStringLen: Int = parameters
    .get("maxStringLen")
    .map(safeStringToInt(_, StreamReadConstraints.DEFAULT_MAX_STRING_LEN))
    .getOrElse(StreamReadConstraints.DEFAULT_MAX_STRING_LEN)

Or chatGPT will have this

Cache frequently used values to reduce the number of map lookups. For example, in the JSONOptions class, you can create lazy vals for the frequently accessed parameters:

  lazy val samplingRatio: Double = parameters.get(SAMPLING_RATIO).map(_.toDouble).getOrElse(1.0)
  lazy val primitivesAsString: Boolean = parameters.get(PRIMITIVES_AS_STRING).map(_.toBoolean).getOrElse(false)
  lazy val prefersDecimal: Boolean = parameters.get(PREFERS_DECIMAL).map(_.toBoolean).getOrElse(false)

In the safeStringToInt method, you can use scala.util.Try to handle the conversion from String to Int:

	private def safeStringToInt(value: String, default: Int): Int = {
		scala.util.Try(value.toInt).filter(_ >= 0).getOrElse(default)
	  }

Consider using getOrElse with a default value directly instead of map followed by getOrElse for some parameters:

  private val maxNestingDepth: Int = parameters
    .getOrElse("maxNestingDepth", StreamReadConstraints.DEFAULT_MAX_DEPTH.toString)
    .pipe(safeStringToInt(_, StreamReadConstraints.DEFAULT_MAX_DEPTH))

  private val maxNumLen: Int = parameters
    .getOrElse("maxNumLen", StreamReadConstraints.DEFAULT_MAX_NUM_LEN.toString)
    .pipe(safeStringToInt(_, StreamReadConstraints.DEFAULT_MAX_NUM_LEN))

  private val maxStringLen: Int = parameters
    .getOrElse("maxStringLen", StreamReadConstraints.DEFAULT_MAX_STRING_LEN.toString)
    .pipe(safeStringToInt(_, StreamReadConstraints.DEFAULT_MAX_STRING_LEN))

but it seams to be to mach..

[srowen]

I think it's overkill to put too much processing into this arg parsing

[LuciferYang]

+1, LGTM ~

Agree with @srowen , it's ok now, don't make things too complicated

[srowen]

Merged to master

[bjornjorgensen]

Thank you all so much for your help and support for this update.

[EnricoMi]

Note that this breaks downstream projects that want to read json:

spark.read.json("file.json")

java.lang.NoClassDefFoundError: com/fasterxml/jackson/core/StreamReadConstraints
	at org.apache.spark.sql.catalyst.json.JSONOptions.buildJsonFactory(JSONOptions.scala:195)
	at org.apache.spark.sql.catalyst.json.JsonInferSchema.$anonfun$infer$1(JsonInferSchema.scala:83)
...
Caused by: java.lang.ClassNotFoundException: com.fasterxml.jackson.core.StreamReadConstraints
	at java.net.URLClassLoader.findClass(URLClassLoader.java:387)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:418)
	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:352)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
	... 16 more

The reason is that spark-core depends on avro 1.11.1, which pulls in jackson-core 2.12.7:

[INFO] +- org.apache.spark:spark-core_2.12:jar:3.5.0-SNAPSHOT:provided
[INFO] |  +- org.apache.avro:avro:jar:1.11.1:provided
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.12.7:provided

Project avro has upgraded to jackson 2.15.0 a few days ago: apache/avro@3b6c6cc

I think for this upgrade in Spark to work, the avro dependency of spark-core has to be upgraded to their next release as well.

My project depends on spark-core and spark-sql only.

[bjornjorgensen]

@EnricoMi I read and write JSON files using pyspark. I haven't seen any problems so far.

[EnricoMi]

I doubt spark-submit, spark-shell or pyspark are affected. The Spark sources are also not affected:

[INFO] org.apache.spark:spark-core_2.12:jar:3.5.0-SNAPSHOT
[INFO] +- org.apache.avro:avro:jar:1.11.1:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-core:jar:2.15.0:compile

I am talking about Java / Scala projects that depend on spark-core, like https://github.com/G-Research/spark-extension.

[srowen]

All wrappers would be affected if any are, as all of this goes through the JVM for JSON processing.
Yes, you show that Spark does not pull in older Jackson versions via Avro. So aren't you talking about other projects that may somehow pull in older Jackson, not Spark? I don't quite understand. Spark JSON processing worsk with this change.

[EnricoMi]

Spark pulls in Jackson 2.15.0 for compile scope. Projects depending on Spark do not transitively depend on Jackson 2.15.0.

Spark depends on Avro which depends on Jackson 2.12.7. Projects that depend on Spark transitively depend on Jackson 2.12.7.

Maybe spark-core should depend on Jackson 2.15.0 with runtime scope, rather than compile scope.

The following pom reproduces the issue:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>uk.co.gresearch.spark</groupId>
  <artifactId>spark-example_2.13</artifactId>
  <version>1.0.0-SNAPSHOT</version>

  <dependencies>
    <dependency>
      <groupId>org.apache.spark</groupId>
      <artifactId>spark-core_2.13</artifactId>
      <version>3.5.0-SNAPSHOT</version>
      <scope>provided</scope>
    </dependency>
  </dependencies>

  <repositories>
    <!-- required to resolve Spark snapshot versions -->
    <repository>
      <id>apache snapshots</id>
      <name>Apache Snapshots</name>
      <url>https://repository.apache.org/snapshots/</url>
    </repository>
  </repositories>
</project>

mvn dependency:tree

[INFO] uk.co.gresearch.spark:spark-example_2.13:jar:1.0.0-SNAPSHOT
[INFO] \- org.apache.spark:spark-core_2.13:jar:3.5.0-SNAPSHOT:provided
[INFO]    +- org.scala-lang.modules:scala-parallel-collections_2.13:jar:1.0.4:provided
[INFO]    +- org.apache.avro:avro:jar:1.11.1:provided
[INFO]    |  \- com.fasterxml.jackson.core:jackson-core:jar:2.12.7:provided

[srowen]

They do transitively depend on Jackson, if it's compile scope. Lots of stuff would never work otherwise.
runtime scope does not work; we could not compile against Jackson code then, and Spark uses Jackson classes.

You are correct that there is a conflict that Maven resolves, and its rules may not give the desired effect. However Spark does "all it can do" by directly depending on Jackson.

The only thing I can think of is to also exclude the jackson dep from Avro explicitly in the Spark POM?

[bjornjorgensen]

The only thing I can think of is to also exclude the jackson dep from Avro explicitly in the Spark POM?

But then we will have to write a lot of testes to test Avro with jackson version 2.15.0.

Cant we open a issue in Avro and ask for a new version? There lasts release is from Aug 5, 2022.

[EnricoMi]

That was my initial suggested solution. Once Avro releases a new version, and Spark is compatible with that, the problem should be resolved by upgrading to that new Avro version.

[pjfanning]

I'm a Jackson committer and 2.15.0 has some big changes in it. A number of changes have already been made based on some bugs and some tweaking of the changes (for a forthcoming v2.15.1 release). I would discourage anyone from making releases that are based on Jackson 2.15.0.

[EnricoMi]

I found a fix on my side, the order of dependencies in my pom is significant here:

• ❌ first referencing spark-core, then spark-sql pulls in Jackson 2.12.7
• ✔️ first referencing spark-sql, then spark-core pulls in Jackson 2.15.0
• ✔️ only referencing spark-sql pulls in Jackson 2.15.0