Login/Register
Fortify error on JSON Injection in Java
Asked Answered
Solved javajsonsecuritygsonfortify
B

4

8

I am getting SUBSCRIPTION_JSON from client which I am converting it to String and then setting it to Model Object using gson library. On running the code on Fortify security, It is giving me Json injection error on below code with following message :

Here is the error :

On line 159 of ActionHelper.java, the method jsonToObject() writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.The method writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.

Explanation
JSON injection occurs when:

1. Data enters a program from an untrusted source.

In this case the data enters at getString() in **SubscriptionAction.java** at line 355.


2. The data is written to a JSON stream.

In this case the JSON is written by fromJson() in **ActionHelper.java** at line 159.

SubscriptionAction.java

final String subscriptionJson = subscriptionForm.getString(SUBSCRIPTION_JSON);

ActionHelper.java 

public static <T> T jsonToObject(final String jsonString, final Class<T> className) {
        T object = null;
        if (StringUtils.isNotBlank(jsonString)) {
            final Gson gson = (Gson) BeanLocator.getInstance().getBean(GSON);
            object = gson.fromJson(jsonString, className);
        }
        return object;
    }

SUBSCRIPTION_JSON -> 

{
    "subscriptions": [{
        "attributeId": "1",
        "items": [{
            "strId": "ALL",
            "nodeType": "G"
        }, {
            "strId": "VO_ENTRY_TIMING_DELAY",
            "nodeType": "L"
        }, {
            "strId": "O_INVALID",
            "nodeType": "L"
        }, {
            "strId": "O_LINE_INVALID",
            "nodeType": "L"
        }, {
            "strId": "V_INVALID",
            "nodeType": "L"
        }, {
            "strId": "V_ADDRESS_INVALID",
            "nodeType": "L"
        }]
    }, {
        "attributeId": "2001",
        "items": [{
            "strId": "OSTBU",
            "nodeType": "L"
        }]
    }]
}
Barnacle answered 12/4, 2018 at 15:12 Comment(0)
B
-4

You must validate the json received to be sure it contais exactly the expected content before setting it to Model Object. You can implement an validator that checks the json with a patterns of fields/format expected, for example.

Bulbar answered 18/4, 2018 at 14:51 Comment(7)
How can I do so? I am facing the same issue.Palatalized
@BenCheng you can implement a validatior before consuming the string. Like in the example above, it tests if the string is different than null. There you can implement the validator to be sure que json contains the right keys expected. Besides you also should think about how you know the contents is coming from a trusted source (like, in this environment,who can send this guy a random json for me?).Bulbar
@Ben Cheng, how did you fix the issue at last? I encountered the same issue as well.Fireman
@Fireman I do not fix this issue. ><". just pending.Palatalized
I registered a custom deserializer to check for duplicate keys, yet the issue still persists. I think Fortify cannot tell if I have validated the json using my custom deserializer.Fireman
then how to made fix for thisUnqualified
I am facing the same issue. This answer doesn't help to resolve the fortify issueAmerigo
S
6

You have to sanitize the JSON before converting it to java object. This is tested solution and it removed this fortify warning.

<dependency>
        <groupId>com.mikesamuel</groupId>
        <artifactId>json-sanitizer</artifactId>
        <version>1.0</version>
</dependency>

InputStream responseBodyAsStream = null;
responseString = EntityUtils.toString(httpResponse.getEntity(),"UTF-8");
String wellFormedJson = com.google.json.JsonSanitizer.sanitize(responseString);

Map map = mapper.readValue(wellFormedJson, Map.class);

Hope this helps..!!
Stavanger answered 4/7, 2019 at 7:37 Comment(0)
B
0

1) Use "JsonSanitizer.sanitize(string)". (Here parameter to sanitize method is your JSON input)

2) To use JsonSanitizer dependency can be added as below in pom.xml: 

<dependency>
    <groupId>com.mikesamuel</groupId>
    <artifactId>json-sanitizer</artifactId>
    <version>1.2.0</version>
</dependency>
Bureaucratic answered 11/4, 2019 at 13:33 Comment(0)
D
-1

I encountered the same issue. You need to sanitize json data, by using json-sanitizer you can achieve it.

Add this dependency in your project

<dependency>

</dependency>

Add this line in your code 

String newsanitizestring = JsonSanitizer.sanitize(passyourjsondatahere);

Now use this string newsanitizestring

Duma answered 21/2, 2020 at 5:58 Comment(0)
B
-4

You must validate the json received to be sure it contais exactly the expected content before setting it to Model Object. You can implement an validator that checks the json with a patterns of fields/format expected, for example.

Bulbar answered 18/4, 2018 at 14:51 Comment(7)
How can I do so? I am facing the same issue.Palatalized
@BenCheng you can implement a validatior before consuming the string. Like in the example above, it tests if the string is different than null. There you can implement the validator to be sure que json contains the right keys expected. Besides you also should think about how you know the contents is coming from a trusted source (like, in this environment,who can send this guy a random json for me?).Bulbar
@Ben Cheng, how did you fix the issue at last? I encountered the same issue as well.Fireman
@Fireman I do not fix this issue. ><". just pending.Palatalized
I registered a custom deserializer to check for duplicate keys, yet the issue still persists. I think Fortify cannot tell if I have validated the json using my custom deserializer.Fireman
then how to made fix for thisUnqualified
I am facing the same issue. This answer doesn't help to resolve the fortify issueAmerigo

© 2022 - 2024 — McMap. All rights reserved.