Reputation: 53
Why JsonSanitizer is not working for Json Injection?
Security tool is complaining JsonInjection when deserializing the json string into java model. My application have been using jackson to do serialization/deserialization. I read jackson does default escaping things and all and referenced internet stuffs to fix this issue.
As I got to know that, there were two options for handling with this issue.
Schema validation - It says that, json needs to be validated against schema and input fields needs to be validated against patterns, etc before deserialization happens.
Use JsonSanitizer - Sanitize the json string to well formed json.
We went with option 2. Because, our application cannot validate the json against schema since more than 200 API's in the application.
JsonSanitizer does not help us. I am writing the piece of code to show you what we tried to fix this issue.
Our application uses this method for all API's and cannot perform schema validation.
Is there anyother solution to get rid of JsonInjection issue?
public <T> T jsonToBean(Class<T> cls, String json) {
try {
String sanitizedJson = json;
if (json.trim().startsWith("{") || json.trim().startsWith("[")) {
sanitizedJson = com.google.json.JsonSanitizer.sanitize(json);
}
return objectMapper.readValue(sanitizedJson, cls);
} catch (Exception e) {
logger.error("Deserialization fails");
}
return null;
}```
Upvotes: 1
Views: 1068
Answers (0)
Related Questions
- Spring @JsonIgnore not working
- How to use JSON Sanitizer at Server Side?
- Fortify error on JSON Injection in Java
- Fortify Json Injection in .NET
- @jsonIgnore annotation is not working
- @JsonIgnore is not working
- WebApplicationException in JSON using
- JSON REST API with Spring Security
- Spring Security with JSON does not work
- JsonIgnore does not work with Spring