Cadet 1st Class
Cadet 1st Class
17315 views

is there any recommended fix of Json Injection?

Hi

I received a JSON inject issue when code goes as :

 

var val = JsonConvert.DeserializeObject<ModelResponse>(jsonstr)

 

Is there any recommanded fix of that ?

I am using JsonValidatingReader and define the json schema to validate the json to fix the code, and still get the same issue:

 

JsonTextReader reader = new JsonTextReader(new StringReader(Regex.Escape(jsonstr)));//issue place
JsonValidatingReader validatingReader = new JsonValidatingReader(reader);
validatingReader.Schema = JsonSchema.Parse(schemaJson); 

IList<string> messages = new List<string>();
validatingReader.ValidationEventHandler += (o, a) => messages.Add(a.Message);

JsonSerializer serializer = new JsonSerializer();
var json = serializer.Deserialize<ModelResponse>(validatingReader);

 

4 Replies
Commodore
Commodore

Hi @allencpp,

There is at least two possible reasons:

1. It is possible that SCA rules does not know about JsonValidatingReader Class, then its use does not have effect in the analysis result. You can check it with the support team. Altough if the Fortify Priority Order (aka Friority) is the same after apply your fix, surely this library is not know by SCA rules. To solve this, if you trust in this library and trust how JSONSchemas are defined and managed for your app, you can create a Custom Rule telling SCA: When you see that a JSON Input pass through JsonValidatingReader trust it. It is a Cleanse Rule.

2. If SCA rules knows about it and trust its functionality, yet is possible that the "Schema" contains all of target-class atributes and not only those expected in the JSON input. That goes to internally move the Issue from Critical or High friority to Medium or low, because a posible flaw exists in the schema and SCA will not trust it. If this is the situation and you trust that Schema contains only the fields expected in the Json Input and absolutely no more fields, then you can mark this specific issue as "Not an Issue" or even create the cleanse rule.

Hope this guide you.

Best regards.

Cadet 3rd Class
Cadet 3rd Class

I am facing same issue. I use Jackson ObjectMapper to convert Json String into Map<String, Object>. 

In my project, Jackson ObjectMapper is used in Spring MVC to convert Json String to Specifed Class with annotation @RequestBody. 

The String is obtained from HttpServletRequest.getInputStream(). Fortify warn me for untrusted source. 

In this situation, how could I solve the fortify issue? 

0 Likes
Vice Admiral
Vice Admiral

Perhaps Fortify complains that malicious input will result in populating unexpected member variables of the object.   Does Fortify's recommendation mention any other risks?

The question already pointed to using a schema validator and the previous answer elaborated on a possible mistake with using a permissive schema.

 

0 Likes

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.