use DTO JavaEE design pattern to access webapp objects with API

[QiAnXinCodeSafe]

opengrok-master/opengrok-web/src/main/java/org/opengrok/web/api/v1/controller/ProjectsController.java

opengrok-master/opengrok-indexer/src/main/java/org/opengrok/indexer/util/ClassUtil.java

The method writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.

[vladak]

Could you expand on why this is a problem ? The value in ProjectsController can be indeed arbitrary (although currently this administrative interface is protected by localhost filter) however there has to be a setter for the field and Jackson has to be able to form an object from the string value. So, the validation happens when JSON is converted to Java object.

[vladak]

As suggested in #2962 (comment) the DTO design pattern should be used to access data via API. This should help to get rid of any "JSON injection".