refactor(framework): replace fastjson with jackson by halibobo1205 · Pull Request #120 · halibobo1205/java-tron

halibobo1205 · 2026-04-04T12:30:25Z

User description

Remove the Fastjson dependency entirely and replace it with Jackson-backed drop-in wrappers (JSON, JSONObject, JSONArray, JSONException) that preserve the same public API surface.

Motivation:

Fastjson has a history of critical CVEs and is no longer actively maintained for 1.x
Jackson-databind 2.18.6 addresses CVE GHSA-72hv-8253-57qq

Core changes (common module):

Add org.tron.json.{JSON, JSONObject, JSONArray, JSONException} wrappers backed by a shared Jackson ObjectMapper configured to match Fastjson 1.x parsing/serialization defaults:
- Unquoted field names and single-quoted strings (lenient parsing)
- BigDecimal for floats, case-insensitive property matching
- Null fields omitted (matches Fastjson default)
Type-safe accessors: getBoolean/getLong/getDouble/getIntValue/ getLongValue/getBigDecimal throw JSONException on invalid text instead of silently returning 0/false
parseObject(String) guards against ClassCastException on non-object JSON roots; parseArray handles whitespace-only input
parseObject(String, Class) delegates to parseObject/parseArray for wrapper types to avoid silent field loss via ObjectMapper
Upgrade jackson-databind 2.18.3 → 2.18.6

HTTP servlet changes (framework module):

Swap import from com.alibaba.fastjson → org.tron.json` across all HTTP API servlets, JSON-RPC layer, and event/log parsers
No changes to request/response JSON structure — existing API contracts are preserved

Test changes:

Add BaseHttpTest base class managing Args lifecycle, Wallet mock, MINIMAL_TX constant, and request/response factory methods (postRequest, getRequest, newResponse)
44 servlet test classes refactored to extend BaseHttpTest, eliminating ~1400 lines of duplicated boilerplate
Strengthen weak assertNotNull checks to content-based assertions: assertTrue(contains("raw_data")) for transaction servlets, assertTrue(contains("blockID")) for block queries, etc.
Add Mockito verify for wallet service calls in query servlets to catch request-to-service mapping regressions
Fix test environment: initialize Args from config-test.conf (maxMessageSize) and use MINIMAL_TX with raw_data to prevent NPE in Util.printCreateTransaction
Add JsonCompatibilityFuzzTest: 500-round fuzz covering round-trip serialization, BigDecimal/BigInteger precision, deep nesting, unicode, and boundary values
Use SecureRandom for fuzz test randomization

Build:

Remove fastjson from common/build.gradle dependencies
Update gradle/verification-metadata.xml for jackson 2.18.6

CodeAnt-AI Description

Replace Fastjson with Jackson-backed JSON handling and tighten request validation

What Changed

The app now uses Jackson-based JSON objects, arrays, and parsing in place of Fastjson across HTTP APIs, JSON-RPC, event parsing, and related utilities, while keeping request and response shapes the same.
JSON parsing now rejects non-object values where an object is expected, handles blank input more safely, and returns clearer errors for invalid numeric and boolean values.
Genesis block timestamp input now fails with a direct error when it is negative or not a valid number.
VM trace output now always uses the same field-only JSON format, and tests now cover more HTTP endpoints and JSON edge cases.
Project docs and CI were updated to reflect the new issue templates, reviewer assignment, and coverage checks.

Impact

✅ Fewer crashes from malformed API JSON
✅ Clearer errors for invalid genesis timestamps
✅ Safer transaction and query request parsing

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

Signed-off-by: imalasong <imalasong@qq.com>

codeant-ai · 2026-04-04T12:30:29Z

CodeAnt AI is reviewing your PR.

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

chatgpt-codex-connector · 2026-04-04T12:30:30Z

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

framework/src/test/java/org/tron/core/services/http/ExchangeTransactionServletTest.java

framework/src/test/java/org/tron/core/services/http/ExchangeCreateServletTest.java

framework/src/test/java/org/tron/core/services/http/SetAccountIdServletTest.java

framework/src/test/java/org/tron/core/services/http/ExchangeWithdrawServletTest.java

common/src/main/java/org/tron/common/utils/JsonUtil.java

common/src/main/java/org/tron/json/JSONArray.java

common/src/main/java/org/tron/json/JSON.java

framework/src/test/java/org/tron/json/JsonCompatibilityFuzzTest.java

codeant-ai · 2026-04-04T12:38:24Z

CodeAnt AI finished reviewing your PR.

…erministic fuzz - Use exact token_id/sell_token_id/buy_token_id byte assertions instead of non-empty checks in Exchange and Market servlet tests - Add account_id byte assertion in SetAccountIdServletTest - Switch fuzz test from non-deterministic SecureRandom to seeded Random for reproducible CI failures Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

halibobo1205 · 2026-04-04T13:29:02Z

@CodeAnt-AI: review

codeant-ai · 2026-04-04T13:29:08Z

CodeAnt AI is running the review.

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

codeant-ai · 2026-04-04T13:30:19Z

Sequence Diagram

This PR replaces Fastjson with Jackson-backed JSON, JSONObject, and JSONArray wrappers and wires all HTTP servlets to use them, so request bodies are parsed and responses serialized via a shared, safely-configured ObjectMapper while preserving existing API contracts.

sequenceDiagram
    participant Client
    participant HttpServlet
    participant JSONWrapper
    participant Wallet
    participant Util

    Client->>HttpServlet: POST transaction request (JSON body)
    HttpServlet->>JSONWrapper: parseObject(requestBody) to JSONObject
    HttpServlet->>Wallet: createTransactionCapsule(built from JSONObject fields)
    Wallet-->>HttpServlet: Transaction object
    HttpServlet->>Util: Serialize Transaction to JSON via JSON/JSONObject/JSONArray
    Util-->>Client: 200 OK with transaction JSON response

Generated by CodeAnt AI

codeant-ai · 2026-04-04T13:37:03Z

CodeAnt AI finished running the review.

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

halibobo1205 · 2026-04-05T03:16:03Z

@codex: review

chatgpt-codex-connector · 2026-04-05T03:16:10Z

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

fix(docs): contributing.md

opt(common): GenesisBlock timestamp valid message error

…ronprotocol#6635)

…er assignment (tronprotocol#6663)

Remove the Fastjson dependency entirely and replace it with Jackson-backed drop-in wrappers (JSON, JSONObject, JSONArray, JSONException) that preserve the same public API surface. Motivation: - Fastjson has a history of critical CVEs and is no longer actively maintained for 1.x - Jackson-databind 2.18.6 addresses CVE GHSA-72hv-8253-57qq Core changes (common module): - Add org.tron.json.{JSON, JSONObject, JSONArray, JSONException} wrappers backed by a shared Jackson ObjectMapper configured to match Fastjson 1.x parsing/serialization defaults: - Unquoted field names and single-quoted strings (lenient parsing) - BigDecimal for floats, case-insensitive property matching - Null fields omitted (matches Fastjson default) - Type-safe accessors: getBoolean/getLong/getDouble/getIntValue/ getLongValue/getBigDecimal throw JSONException on invalid text instead of silently returning 0/false - parseObject(String) guards against ClassCastException on non-object JSON roots; parseArray handles whitespace-only input - parseObject(String, Class) delegates to parseObject/parseArray for wrapper types to avoid silent field loss via ObjectMapper - Upgrade jackson-databind 2.18.3 → 2.18.6 HTTP servlet changes (framework module): - Swap import from com.alibaba.fastjson → org.tron.json across all HTTP API servlets, JSON-RPC layer, and event/log parsers - No changes to request/response JSON structure — existing API contracts are preserved Test changes: - Add BaseHttpTest base class managing Args lifecycle, Wallet mock, MINIMAL_TX constant, and request/response factory methods (postRequest, getRequest, newResponse) - 44 servlet test classes refactored to extend BaseHttpTest, eliminating ~1400 lines of duplicated boilerplate - Strengthen weak assertNotNull checks to content-based assertions: assertTrue(contains("raw_data")) for transaction servlets, assertTrue(contains("blockID")) for block queries, etc. - Add Mockito verify for wallet service calls in query servlets to catch request-to-service mapping regressions - Fix test environment: initialize Args from config-test.conf (maxMessageSize) and use MINIMAL_TX with raw_data to prevent NPE in Util.printCreateTransaction - Add JsonCompatibilityFuzzTest: 500-round fuzz covering round-trip serialization, BigDecimal/BigInteger precision, deep nesting, unicode, and boundary values - Use SecureRandom for fuzz test randomization Build: - Remove fastjson from common/build.gradle dependencies - Update gradle/verification-metadata.xml for jackson 2.18.6 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: codeant-ai[bot] <151821869+codeant-ai[bot]@users.noreply.github.com> Co-Authored-By: codex <codex@openai.com>

codeant-ai · 2026-04-09T07:02:20Z

CodeAnt AI is running Incremental review

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

codeant-ai · 2026-04-09T07:03:37Z

CodeAnt AI Incremental review completed.

imalasong and others added 4 commits April 21, 2025 22:34

opt(common): GenesisBlock timestamp valid message error

b54a7ed

Signed-off-by: imalasong <imalasong@qq.com>

add desc about how to create an issue and fix "submit code"

871808f

Revise two sentences to make the description clearer

acdeb9f

fix official repository name

25c9fc2

codeant-ai bot added the size:XXL This PR changes 1000+ lines, ignoring generated files label Apr 4, 2026