This repository has been archived by the owner on Jan 17, 2023. It is now read-only.
validate request body objects before parsing as JSON #2438
Labels
security
Security issue: can be an active issue, or related to security hygene
server wontfix
Closed (without being fixed) because we are discontinuing the server
Milestone
refs APP-INPUTVAL
Nice to have.
To prevent insecure property access where a post body like
{"name":{"toString":"OVERWRITE"}}
handled by code like:triggers an error.
It'd be good to validate the incoming objects before parsing (e.g. with joi and celebrate.
https://github.com/mozilla-services/pageshot/blob/master/server/src/server.js#L593-L603 is great because it resets the object or throws from the catch block preventing the insecure property access, but we could fail earlier and provide more detailed error messages by validating the object in advance.
The text was updated successfully, but these errors were encountered: