alibaba-fastjson漏洞升级记录

一、升级版本

1.2.44 升级 到 2.0.32

    
        ...
        2.0.32
        ...
    
    ...
    
        
            ...
            
            
                com.alibaba
                fastjson
                ${fastjson.version}
            
            
                com.alibaba.fastjson2
                fastjson2
                ${fastjson.version}
            
            
                com.alibaba.fastjson2
                fastjson2-extension
                ${fastjson.version}
            
            
                com.alibaba.fastjson2
                fastjson2-extension-spring5
                ${fastjson.version}
            
            ...
        
    

二、替换旧 FastJsonHttpMessageConverter

即将旧

com.alibaba.fastjson.support.spring.FastJsonHttpMessageConverter

替换新：

com.alibaba.fastjson2.support.spring.http.converter.FastJsonHttpMessageConverter

import com.alibaba.fastjson2.JSONWriter;
import com.alibaba.fastjson2.support.config.FastJsonConfig;
import com.alibaba.fastjson2.support.spring.http.converter.FastJsonHttpMessageConverter;
import org.springframework.boot.autoconfigure.http.HttpMessageConverters;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.MediaType;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.lang.NonNull;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import org.springframework.web.util.UrlPathHelper;

import java.util.ArrayList;
import java.util.List;


@Configuration
public class MyWebMvcConfig implements WebMvcConfigurer {

    ...

    @Override
    public void extendMessageConverters(@NonNull List> converters) {
        FastJsonHttpMessageConverter fasHttpMessageConverter = new FastJsonHttpMessageConverter();
        FastJsonConfig fastJsonConfig = fasHttpMessageConverter.getFastJsonConfig();
        // 个性化输出定义
        fastJsonConfig.setWriterFeatures(
                JSONWriter.Feature.WriteNullStringAsEmpty,
                JSONWriter.Feature.WriteMapNullValue,
                JSONWriter.Feature.WriteNullBooleanAsFalse);

        List supportedMediaTypes = new ArrayList<>(2);
        supportedMediaTypes.add(MediaType.APPLICATION_JSON);
        fasHttpMessageConverter.setSupportedMediaTypes(supportedMediaTypes);

        converters.add(0, fasHttpMessageConverter);
    }

    ...
}

三、路径替换：可选项

即将项目中旧

com.alibaba.fastjson.JSONObject

换成新

com.alibaba.fastjson2.JSONObject

fastjson2-2.0.32 源码

FASTJSON 1.x升级指南

Fastjson 2.0.32发布