is there any recommended fix of Json Injection?


I received a JSON inject issue when code goes as :


var val = JsonConvert.DeserializeObject<ModelResponse>(jsonstr)


Is there any recommanded fix of that ?

I am using JsonValidatingReader and define the json schema to validate the json to fix the code, and still get the same issue:


JsonTextReader reader = new JsonTextReader(new StringReader(Regex.Escape(jsonstr)));//issue place
JsonValidatingReader validatingReader = new JsonValidatingReader(reader);
validatingReader.Schema = JsonSchema.Parse(schemaJson); 

IList<string> messages = new List<string>();
validatingReader.ValidationEventHandler  = (o, a) => messages.Add(a.Message);

JsonSerializer serializer = new JsonSerializer();
var json = serializer.Deserialize<ModelResponse>(validatingReader);


  • Hi ,

    There is at least two possible reasons:

    1. It is possible that SCA rules does not know about JsonValidatingReader Class, then its use does not have effect in the analysis result. You can check it with the support team. Altough if the Fortify Priority Order (aka Friority) is the same after apply your fix, surely this library is not know by SCA rules. To solve this, if you trust in this library and trust how JSONSchemas are defined and managed for your app, you can create a Custom Rule telling SCA: When you see that a JSON Input pass through JsonValidatingReader trust it. It is a Cleanse Rule.

    2. If SCA rules knows about it and trust its functionality, yet is possible that the "Schema" contains all of target-class atributes and not only those expected in the JSON input. That goes to internally move the Issue from Critical or High friority to Medium or low, because a posible flaw exists in the schema and SCA will not trust it. If this is the situation and you trust that Schema contains only the fields expected in the Json Input and absolutely no more fields, then you can mark this specific issue as "Not an Issue" or even create the cleanse rule.

    Hope this guide you.

    Best regards.

  • I am facing same issue. I use Jackson ObjectMapper to convert Json String into Map<String, Object>. 

    In my project, Jackson ObjectMapper is used in Spring MVC to convert Json String to Specifed Class with annotation @RequestBody. 

    The String is obtained from HttpServletRequest.getInputStream(). Fortify warn me for untrusted source. 

    In this situation, how could I solve the fortify issue? 

  • Perhaps Fortify complains that malicious input will result in populating unexpected member variables of the object.   Does Fortify's recommendation mention any other risks?

    The question already pointed to using a schema validator and the previous answer elaborated on a possible mistake with using a permissive schema.