1

We are building an API Framework in PHP (Hacklang) and will be using json-schema from OPIS to implement validation of JSON input in the request body.

OWASP recommends implementing validations on minimum and maximum value range check for numerical parameters - Link

But looks like json-schema cannot perform validations on JSON encoded strings (raw input to the API) - https://opis.io/json-schema/2.x/php-validator.html

enter image description here

By first deserialising the input, I think we lose many of the benefits that schema validation provides. For eg., if the maxItems of an array field in the validation schema is 1 but the client provides a billion items, we would be deserialising everything only to throw an exception later.

Is there a way to perform validation without/while deserialising the raw input? How are open source API Frameworks handling this concern?

Brian Tompsett - 汤莱恩
  • 5,753
  • 72
  • 57
  • 129
Naveen Santhanavel
  • 369
  • 3
  • 13
  • 2
    You could restrict the maximum size of the JSON string before using `json_decode()`. – KIKO Software Aug 09 '23 at 10:39
  • Do you want to validate if it's a valid JSON? or do you want to Validate the content of JSON? – Vaso Gamdelidze Aug 09 '23 at 11:55
  • @VasoGamdelidze We want to do both. – Naveen Santhanavel Aug 09 '23 at 12:02
  • @KIKOSoftware Thats a good idea. I feel there could be performance improvements in doing validation as a part of deserialisation. (We could terminate early in case of errors) – Naveen Santhanavel Aug 09 '23 at 12:03
  • 1
    From PHP 8.3, we would have a new function, json_validate, which can detect if JSON is valid. And another part of validating json string before decoding could decrease your performance. You can take a look at this repo. Maybe it can give some new ideas. https://github.com/halaxa/json-machine – Vaso Gamdelidze Aug 09 '23 at 12:13

0 Answers0