Drop YAJL dependency #3308
Comments
|
Agree, we should change. What do you think about the "official" YAML library? |
|
Note, I added label [2.x] too, because mod_security2 is also affected. |
|
This does not sound good. Thank you for bringing this to the attention @mikelolasagasti. |
I'm the Fedora |
|
Hi @berrange,
You're right, that was a mistake from me - sorry, and thank you. |
|
Thank you for this very valuable input @berrange. That puts the replacement discussion on a far better base. |
|
These are the libraries that are reported (by their authors and third-parties) as the fastest:
It would be interesting to check their functionalities for our intended use:
|
|
There are a few subtle behavior quirks of yajl that should be examined for alternative libraries too. And then documented in case. The behavior with empty request body for example. From the back of my head I am no longer sure if yajl rejects that and other parsers are OK with it or if it's the other way around. But I've seen this problem in production before. |
|
This would definitely need extensive test cases |
|
Just a quick remark for this issue:
Other ideas? |
AFAICT they haven't replied to anyone asking about YAJL on github in many years. I see no notable github activity on their account in 10 years.
The thing about yajl forks is that there are already many to choose from, each with a random selection of changes, but none seem to gain critical mass/attention. Personally I'd just recommend letting yajl fade out. There are already two actively maintained alternative plain C JSON libraries - jansson & json-c - json-c slightly more active, as well as glib-json for apps which happen to use GLib. Between them they ought to be able to satisfy JSON needs for C applications, unless there's an unavoidable need for historical bug compatibility with YAJL. Even bug compatibility is questionable since JSON ought to be used/consumed in a way that ensures it is interoperable across impls, so it doesn't feel like further investment in YAJL is a long term benefit. |
I saw that in some place but gave a try...
that's said.
If we don't have other chance we must switch, but honestly I'd like to avoid that. If we will switch, I do not see any reason to keep any compatibility with old bugs, I agree with you. And thanks for following this issue. |
|
I made some researches in this topic, and now I'm completely disappointed. Honestly, I think it's harder to make a good decision than I thought. Here are the libraries what I checked.
I know the list is far not complete, but I haven't more time. If anyone can make similar research, please send me the results and I will add it to this sheet. Here is a good collection of available parsers, but I'm not sure that's a complete list. Aspects that I took into account:
If anyone has other aspects that we should consider, please leave a comment. And any help are welcome to continue this research. Update on 2025.03.27:
Update on 2025.03.28:
Update on 2025.01.01:
|
|
To all: I've reviewed the available JSON parsers and organized them by my criteria - see this comment. There are some important requirements that the candidate must meet:
Based on the sheet above (inside of the comment) there is only ONE JSON library which fit these requirements: the JSMN, but unfortunately that's - we can say - also an unmaintained codebase. The last commit was on 2021.10.14, and the last release was on 2019.06.23. This is very sad. Actually I don't see the solution. I reviewed all listed library here (see the Meanwhile I created a small tool which emulates the engines' behavior (especially it's closer to mod_security2's behavior). If anyone wants to try to add a new library, feel free to do that. Or anyone has an idea what library is missing from the list above, and thinks that would be a good candidate, please share that and I will add that. The tool is here: Also please if you think I forget to add a usable library above, please notice me. |
|
Also, |
|
Looks like the |
I have to check this, thanks. Btw if you want to take a look and/or try that, feel free to add
Ah, thanks - now I realized that it has been added in May of last year, so it's part of SID and testing (which is the Trixie now). But it's a good sign. Thanks again for your help! |
Yes, and it seems like they try Thanks, now I think it worth a try. |
yajllibrary has been unmaintained upstream[1] since 2015. Last published release contians multiple CVEs (CVE-2023-33460, CVE-2022-24795, CVE-2017-16516) and fixes have had to be carried by downstream distributions and third parties. This is not an ideal situation. While a fork exists[2], it is unclear how widely adopted or blessed it is downstream.As the maintainer of
libmodsecurityfor Fedora[3] and EPEL, I recently found that theyajllibrary will not be shipped with RHEL 10. This means a new maintainer would be required to add it to EPEL. The previous maintainer for RHEL & EPEL has recommended moving away fromyajl[4].Currently, libmodsecurity can be built without
yajl, but I understand that making it mandatory is considered desirable, as per #3144 and #3151.Given the security concerns and the upstream status of
yajl, I recommend opening a discussion on droppingyajlas a dependency and exploring alternative JSON libraries, such asJSON-C, which is actively maintained and more widely adopted.[1] https://github.com/lloyd/yajl
[2] https://github.com/robohack/yajl/
[3] https://src.fedoraproject.org/rpms/libmodsecurity
[4] https://lists.fedoraproject.org/archives/list/[email protected]/message/YPFHPOKAND3RZR7ZKWTDHUQEESG6IUJ3/
The text was updated successfully, but these errors were encountered: