Reputation: 1
Extraneous postfixed data in JSON for POST method
I was wondering if someone can tell me if this is a problem to worth to consider or how it can be fix if needed.
We have a web service written in Java that is built using Spring Boot and running on Amazon AWS. This is used by our other products and services internally. Though the endpoint is public, there are some authentication that prevents public access.
One of our API accepts a JSON as the parameter for a POST method. Our QE pointed out that our API does not detect extraneous data following the very JSON data. For example, assuming our API expects data something like:
{
"name": "John Doe",
"email": "[email protected]"
}
Our API does not complain even if following data is given:
{
"name": "John Doe",
"email": "[email protected]"
}
Hello, I’m ignored!
Our API simply ignores the extraneous portion completely. We use Jackson to deserialize JSON string. I looked for Jackson and Spring documentation but was not able to find out how this can be detected.
So, the very question is: is this a security threat? If so, how this can be fixed?
Thanks,
Masa
Upvotes: 0
Views: 346
Answers (1)
Reputation: 717
I digged into Jackson source code a little bit and get conclusion as follow. When parsing json into object, jackson will parse all values and make it into object, and then check if the parser reached the end ("}"). So we can see that any string append after "}" won't be taken into jackson. And jackson just ignore them and won't throw Exception.
I don't think it will cause any safety issue, since those string after "}" is ignored, they are never used inside jackson and hence no chance to go into your app. If you really don't want this, you can use an interceptor to do some check.
Hope this could help you.
protected Object _unwrapAndDeserialize(JsonParser p, DeserializationContext ctxt,
DeserializationConfig config,
JavaType rootType, JsonDeserializer<Object> deser)
throws IOException
{
...
// ok, then move to value itself....
p.nextToken();
Object result = deser.deserialize(p, ctxt);
// and last, verify that we now get matching END_OBJECT
if (p.nextToken() != JsonToken.END_OBJECT) {
ctxt.reportWrongTokenException(p, JsonToken.END_OBJECT,
"Current token not END_OBJECT (to match wrapper object with root name '%s'), but %s",
expSimpleName, p.getCurrentToken());
}
return result;
}
The Enum
/* Jackson JSON-processor.
*
* Copyright (c) 2007- Tatu Saloranta, [email protected]
*/
package com.fasterxml.jackson.core;
/**
* Enumeration for basic token types used for returning results
* of parsing JSON content.
*/
public enum JsonToken
{
...
/**
* END_OBJECT is returned when encountering '}'
* which signals ending of an Object value
*/
END_OBJECT("}", JsonTokenId.ID_END_OBJECT),
...
Upvotes: 2
Related Questions
- Jackson cannot parse body of a POST request
- Java Spring POST with array and object JSON data problem
- Spring Boot Failed to Convert JSON to pojo from POST request for fields that are not of type string
- Can't read json post method (jackson)
- Spring Rest. Eliminate json property at HTTP.POST
- JSON POST Request getting exception on server side
- Wrong POST body JSON serialization when using postForEntity in Spring
- Getting 204 respose code by POSTwith json entity in it
- The request sent by the client was syntactically incorrect - Complicated type in JSON POST body
- Error receiving POST request in Spring with Jackson JSON conversion