使用Jackson / Java确保所有序列化为JSON的单引号或双引号中的不受信任数据都会转义为任何特殊字符?

时间:2022-03-10 00:24:03

I have the following Fortify security issue:

我有以下Fortify安全问题:

JSON Injection: Ensure that all serialization is performed using a safe serialization function that delimits untrusted data within single or double quotes and escapes any special characters.

JSON注入:确保使用安全序列化函数执行所有序列化,该函数在单引号或双引号内分隔不受信任的数据并转义任何特殊字符。

Below is my code:

以下是我的代码:

public String saveJson(String json, long ID, String userId) throws SQLException, JsonParseException, JsonMappingException, IOException
    {

        ObjectMapper objectMapper = new ObjectMapper();

        List<item> listOfNewItems = objectMapper.readValue(json, new TypeReference<List<item>>(){});
        userId= userFactory.getUser().getID();
        String message = saveJson(listOfNewItems,ID,userId);

        return message;
    }

I am trying to maybe use

我想尝试使用

org.codehaus.jackson.io.JsonStringEncoder.getInstance().quoteAsString(json);

or maybe

objectMapper.configure(JsonGenerator.Feature.QUOTE_FIELD_NAMES, false);
            objectMapper.configure(JsonParser.Feature.ALLOW_UNQUOTED_FIELD_NAMES, true);

but not sure?

但不确定?

More details on the error:

有关错误的更多详细信息:

writes unvalidated input into JSON

将未经验证的输入写入JSON

Any ideas?

1 个解决方案

#1

1  

The comments so far from mikaelhg and gagan singh are correct:

迄今为止对mikaelhg和gagan singh的评论是正确的:

  1. Jackson ObjectMapper on its default settings will already "Ensure that all serialization is performed using a safe serialization function that delimits untrusted data within single or double quotes and escapes any special characters."

    Jackson ObjectMapper在其默认设置下已经“确保使用安全序列化函数执行所有序列化,该函数在单引号或双引号内分隔不受信任的数据并转义任何特殊字符。”

  2. The code you have shown is deserialization, not serialization (and/or is broken or incorrectly copied)

    您显示的代码是反序列化,而不是序列化(和/或被破坏或错误复制)

#1

1  

The comments so far from mikaelhg and gagan singh are correct:

迄今为止对mikaelhg和gagan singh的评论是正确的:

  1. Jackson ObjectMapper on its default settings will already "Ensure that all serialization is performed using a safe serialization function that delimits untrusted data within single or double quotes and escapes any special characters."

    Jackson ObjectMapper在其默认设置下已经“确保使用安全序列化函数执行所有序列化,该函数在单引号或双引号内分隔不受信任的数据并转义任何特殊字符。”

  2. The code you have shown is deserialization, not serialization (and/or is broken or incorrectly copied)

    您显示的代码是反序列化,而不是序列化(和/或被破坏或错误复制)

标签:

相关文章