1

I have a RESTful API, built in NODE.js that does what you would expect it to: consumes data and then makes it accessible. Currently, data being submitted to my server is nested form data:

data[0][username]=...
data[0][email]=...
data[0][phone]=...
...
data[12][username]=...
data[12][email]=...
data[12][phone]=...

or as a query string

data[0][username]=...&data[0][email]=...&data[0][phone]=...

SO when I parse it on the server, I get a JS array of objects with those particular fields. What I am wondering is, is it safe for me accept a string that I can JSON.parse and the process it?

data=(some stringified json object)

I am unsure if it's possible for malicious code or anything to be included in the JSON object that would blow up my server once run through a parser

Thanks.

rpaskett
  • 166
  • 1
  • 9
  • http://funkatron.com/posts/safely-parsing-json-in-javascript.html **tl;dr**: use safe JSON parsers; avoid using `eval`. – Robert Harvey Apr 02 '14 at 02:38
  • @RobertHarvey, I think the question is what sort of mischief could be expected even if a safe JSON parser is used. – Jeffrey Hantin Apr 02 '14 at 02:56
  • @JeffreyHantin You are correct, but Robert Harvey's answer is more or less exactly what I was looking for. Any additional implications are true for any data interchange system for format. Thank you both. – rpaskett Apr 02 '14 at 03:46

1 Answers1

6

JSON representation can be dense, certainly denser than a flat list of properties, so memory exhaustion and denial of service may be slightly easier.

Other than that, assuming your JSON parser is bulletproof, you're left with basically the same attacks that can be directed at a form-data or query-string based entry point, primarily various kinds of string injection attacks: SQL injection, client JavaScript injection, and so forth.

Jeffrey Hantin
  • 889
  • 5
  • 9