9

I have the following Fortify security issue:

JSON Injection: Ensure that all serialization is performed using a safe serialization function that delimits untrusted data within single or double quotes and escapes any special characters.

Below is my code:

public String saveJson(String json, long ID, String userId) throws SQLException, JsonParseException, JsonMappingException, IOException
    {

        ObjectMapper objectMapper = new ObjectMapper();

        List<item> listOfNewItems = objectMapper.readValue(json, new TypeReference<List<item>>(){});
        userId= userFactory.getUser().getID();
        String message = saveJson(listOfNewItems,ID,userId);

        return message;
    }

I am trying to maybe use

org.codehaus.jackson.io.JsonStringEncoder.getInstance().quoteAsString(json);

or maybe

objectMapper.configure(JsonGenerator.Feature.QUOTE_FIELD_NAMES, false);
            objectMapper.configure(JsonParser.Feature.ALLOW_UNQUOTED_FIELD_NAMES, true);

but not sure?

More details on the error:

writes unvalidated input into JSON

Any ideas?

Arun Vinoth-Precog Tech - MVP
  • 22,364
  • 14
  • 59
  • 168
user8507628
  • 99
  • 1
  • 4
  • The issue description you posted talks about serialization, but the code you posted actually performs DEserialization. Are you asking for help with serialization or deserialization? – Mikael Gueck Jun 14 '18 at 00:39
  • Maybe you need to sanitize the JSON string before deserializing it? There's a [json sanitizer](https://github.com/owasp/json-sanitizer) by [OWASP](https://www.owasp.org/index.php/Main_Page) that looks like it's fit for purpose. [Here's a short discussion](https://stackoverflow.com/questions/29791629/how-to-use-json-sanitizer-at-server-side) of it from a few years back. If you need field-by-field processing, you're probably looking at custom (de)serialization. [This might be a start.](http://www.baeldung.com/jackson-object-mapper-tutorial) – DavidW Jun 15 '18 at 20:39
  • 3
    Can you provide an example of json which does not use the specialized serialization function and another version of secure json which used the specialized serialization function. Default ObjectMapper should handle your requirement. Why change the configuration? – gagan singh Jun 16 '18 at 16:43

1 Answers1

2

The comments so far from mikaelhg and gagan singh are correct:

  1. Jackson ObjectMapper on its default settings will already "Ensure that all serialization is performed using a safe serialization function that delimits untrusted data within single or double quotes and escapes any special characters."

  2. The code you have shown is deserialization, not serialization (and/or is broken or incorrectly copied)

Rich
  • 15,048
  • 2
  • 66
  • 119
  • Thank you Rich. The quoted text in your first point is exactly what I was looking for. – Fopedush Jun 18 '18 at 18:39
  • (I quoted that from your question) – Rich Jun 18 '18 at 20:26
  • Hah, so you did. Does the Objectmapper documentation state this fact in a simple, straightforeward way as in the quoted text? – Fopedush Jun 18 '18 at 20:29
  • I doubt it is stated directly, as it I think it is self-evident from the design goals. The library would not be able to "round trip" arbitrary strings from Java -> JSON -> Java if it did not do escaping properly. – Rich Jun 18 '18 at 20:52
  • I had a look in the Jackson docs and couldn't find any similar statement. I think the authors just consider it self-evident. Searching for things like "does jackson json escape strings" gave blog posts like http://javausecase.com/2017/02/22/are-escaping-special-characters-in-json-string-required/ – Rich Jun 18 '18 at 20:54