Menu
I am getting SUBSCRIPTION_JSON from client which I am converting it to String and then setting it to Model Object using gson library. On running the code on Fortify security, It is giving me Json injection error on below code with following message :
Here is the error :
On line 159 of ActionHelper.java, the method jsonToObject() writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.The method writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.
Explanation
JSON injection occurs when:
1. Data enters a program from an untrusted source.
In this case the data enters at getString() in **SubscriptionAction.java** at line 355.
2. The data is written to a JSON stream.
In this case the JSON is written by fromJson() in **ActionHelper.java** at line 159.
SubscriptionAction.java
final String subscriptionJson = subscriptionForm.getString(SUBSCRIPTION_JSON);
ActionHelper.java
public static <T> T jsonToObject(final String jsonString, final Class<T> className) {
T object = null;
if (StringUtils.isNotBlank(jsonString)) {
final Gson gson = (Gson) BeanLocator.getInstance().getBean(GSON);
object = gson.fromJson(jsonString, className);
}
return object;
}
SUBSCRIPTION_JSON ->
{
"subscriptions": [{
"attributeId": "1",
"items": [{
"strId": "ALL",
"nodeType": "G"
}, {
"strId": "VO_ENTRY_TIMING_DELAY",
"nodeType": "L"
}, {
"strId": "O_INVALID",
"nodeType": "L"
}, {
"strId": "O_LINE_INVALID",
"nodeType": "L"
}, {
"strId": "V_INVALID",
"nodeType": "L"
}, {
"strId": "V_ADDRESS_INVALID",
"nodeType": "L"
}]
}, {
"attributeId": "2001",
"items": [{
"strId": "OSTBU",
"nodeType": "L"
}]
}]
}
576
The real security concerns with JSON arise in the way that it is used. If misused, JSON-based applications can become vulnerable to attacks such as JSON hijacking and JSON injection.
Server-side JSON injection happens when data from an untrusted source is not sanitized by the server and written directly to a JSON stream. Client-side JSON injection happens when data from an untrusted JSON source is not sanitized and parsed directly using the JavaScript eval function.
You have to sanitize the JSON before converting it to java object. This is tested solution and it removed this fortify warning.
<dependency>
<groupId>com.mikesamuel</groupId>
<artifactId>json-sanitizer</artifactId>
<version>1.0</version>
</dependency>
InputStream responseBodyAsStream = null;
responseString = EntityUtils.toString(httpResponse.getEntity(),"UTF-8");
String wellFormedJson = com.google.json.JsonSanitizer.sanitize(responseString);
Map map = mapper.readValue(wellFormedJson, Map.class);
Hope this helps..!!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
