Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it safe to call json_decode on user input?

I'm storing a JSON encoded array of integer indexes => integer values in a cookie.

Obviously cookies can be easily manipulated like any other user input, so here's my cookie getter validation:

if ($_COOKIE['myCookie']) { //if cookie exists     $myCookie = json_decode($_COOKIE['myCookie'], true);     if (!is_array($myCookie)) { //in case decoding fails or bad cookie         $myCookie = array(); //sets it as empty array     } } else { //if cookie doesn't exist, uses an empty array instead     $myCookie = array(); } 

Then before using any of the values, I check if it exists in the array and test against a list of white-listed values - this part seems pretty safe but I'm posting it as it's part of the validation:

if (!empty($myCookie[$index])) { //checks if index exists and is truthy     if ($myCookie[$index] !== 1 && $myCookie[$index] !== 2) { //values whitelist         die('Hacking attempt through cookies exploit.');     }     //use the cookie data now } 

Back to the question, is it safe to call json_decode directly on the cookie? Can users manipulate the cookie to run arbitrary code?

I've been reading around many topics on SO so far and what I found is that unserialize() is dimmed unsafe because it calls constructors, but json_decode is technically safe. I've read through their php.net pages but those do not address security directly.

My addon is reaching the live beta very soon, so I'm wondering if calling json_decode directly on the cookie is safe enough or if I should run some type of validation before calling json_decode. I could run a preg_match too, but as I'm testing against a whitelist of values before using them, there should be no problem unless json_decode somehow runs arbitrary code, which it doesn't, right?

I know that json_encode returns NULL if it's not valid JSON, but I'm wondering if this is the right approach or should I add some kind of validation before calling json_decode?

Sorry if this is too stupid of a question, I just have very little experience with cookies/JSON and wouldn't like to be the one blamed for having our server's database dropped. Any help/info is appreciated. =]

like image 658
Fabrício Matté Avatar asked Sep 06 '12 02:09

Fabrício Matté


People also ask

What does json_decode return?

The json_decode() function can return a value encoded in JSON in appropriate PHP type. The values true, false, and null is returned as TRUE, FALSE, and NULL respectively. The NULL is returned if JSON can't be decoded or if the encoded data is deeper than the recursion limit.

What is the use of json_decode?

The json_decode() function is used to decode or convert a JSON object to a PHP object.

Does json_decode return array?

json - json_decode does not return array in php - Stack Overflow. Stack Overflow for Teams – Start collaborating and sharing organizational knowledge.

Is JSON a string PHP?

JSON (JavaScript Object Notation) can be made in to a PHP object using json_decode. If the return is not an object, the string we gave is not JSON. This is the principal of Method 1 function.


2 Answers

Using json_decode to decode the user input directly has no security problem.

It is just string parsing, won't do any string eval.

json_decode in php is like JSON.parse in javascript, and both of them could be used directly on the user input, they are safe at the decoding time.

But after being decoded, you have to validate the data for your requirement.

like image 81
xdazz Avatar answered Sep 28 '22 12:09

xdazz


Insomuch as json_decode is correctly implemented, it should be safe to just use without extra pre-processing (in fact, that might be worse, given that you might have bugs in your pre-processor).

like image 32
Hamish Avatar answered Sep 28 '22 11:09

Hamish