validate request body objects before parsing as JSON #2438

g-k · 2017-03-20T23:08:43Z

refs APP-INPUTVAL

Nice to have.

To prevent insecure property access where a post body like {"name":{"toString":"OVERWRITE"}} handled by code like:

var o = {};
try {
   o = JSON.parse(req.body)
} catch (error) {
   // silently
}
o.name + ' ok'

triggers an error.

It'd be good to validate the incoming objects before parsing (e.g. with joi and celebrate.

https://github.com/mozilla-services/pageshot/blob/master/server/src/server.js#L593-L603 is great because it resets the object or throws from the catch block preventing the insecure property access, but we could fail earlier and provide more detailed error messages by validating the object in advance.

The text was updated successfully, but these errors were encountered:

ianb · 2019-02-07T19:21:14Z

This issue is being closed (without being fixed) because we are discontinuing the Screenshots server.

jvehent added the security Security issue: can be an active issue, or related to security hygene label Mar 21, 2017

ghost added this to the Stretch milestone Mar 22, 2017

ianb added the server wontfix Closed (without being fixed) because we are discontinuing the server label Feb 7, 2019

ianb closed this as completed Feb 7, 2019

Provide feedback