CODEWITHSUNDEEP
javaspringrestjax-rsdropwizard
Clarkey
Clarkey

Reputation: 1581

Invalid Characters at Start of JSON Body of Dropwizard Rest API

I have created a basic CRUD API using Dropwizard and Spring. In the body of my response object, I am receiving the following:

 )]}',
 {
  "id":10,
  "initiator":2,
  "target":1,
  "statusId":1,
  "created":"2018-04-30T14:45:01.173"
 }

I checked the API using curl, postman, and programatically during testing with rest assured, and the invalid characters )]}', are always present. Postman seems to be capable of ignoring them and displaying a pretty printed output, however rest assured, and I'm guessing most JSON parsers, can't parse it correctly.

Questions:

  1. What are they?
  2. Why are they present?
  3. How do I remove them?

I've been writing REST APIs for years and I've never seen anything like this. This is my first time using dropwizard so I'm optimistically hoping it is some configuration I have missed.

Apart from the the invalid characters, functionally the API works fine.

This is an inherited codebase, and other APIs return these characters also. For the purposes of testing in rest assured the invalid characters are filtered out before processing the response. While this seems acceptable to me as a workaround in the short term, long term any future consumers of the API will all have to perform the workaround, and ideally this would be fixed in the API itself.

Upvotes: 1

Views: 255

Answers (1)

Hemant Patel
Hemant Patel

Reputation: 3260

Not aware of DropWizard but it is there to prevent json-hijacking. In Spring there is a MappingJackson2HttpMessageConverter class.
which has same feature, but prefix is different "{} &&"

/**
 * Indicate whether the JSON output by this view should be prefixed with "{} &&". Default is false.
 * <p>Prefixing the JSON string in this manner is used to help prevent JSON Hijacking.
 * The prefix renders the string syntactically invalid as a script so that it cannot be hijacked.
 * This prefix does not affect the evaluation of JSON, but if JSON validation is performed on the
 * string, the prefix would need to be ignored.
 */
public void setPrefixJson(boolean prefixJson) {
    this.prefixJson = prefixJson;
}

You can relate to this.

Edit 1: Spring version 4.2.0.RELEASE onwards, default prefix has been updated to )]}',

Upvotes: 2

Related Questions