如何在JSON中安全地使用用户提供的文本?

时间:2022-06-01 16:52:46

I have a Node application that needs to take user input(a username and password) and make a request to another API with those two things included. I have a function that should do this:

我有一个Node应用程序需要接受用户输入(用户名和密码),并向包含这两件事的另一个API发出请求。我有一个应该这样做的功能:

getTokenFromLogin = function(user, pass) {    
    var promise = new Promise(function(resolve, reject) {
        var options = this.options;
        options.url = endpoints.login;
        options.method = 'POST';
        options.form = {
            'username': user,
            'password': pass
        };
        request(options, function (err, httpResponse, body) {
            if (err) return reject(err);
            resolve(body);
        });
    });
    return promise;
};

However, theoretically, couldn't an attacker just input a string in JSON format that could manipulate my request object? If this is the case, how can I ensure that these strings are safe? I've seen two methods, JSON.parse() and JSON.stringify(), but nothing I've found clarifies what I should use and exactly how those methods could stop this kind of vulnerability.

但是,从理论上讲,攻击者不能只输入JSON格式的字符串来操作我的请求对象吗?如果是这种情况,我该如何确保这些字符串是安全的?我已经看到了两种方法,JSON.parse()和JSON.stringify(),但是我发现的任何内容都没有说明我应该使用什么,以及这些方法究竟是如何阻止这种漏洞的。

1 个解决方案

#1


2  

The answer is your code is already "safe." Strings are strings (assuming you are checking the typeof user and pass of course) and strings cannot magically interact with objects by themselves.

答案是你的代码已经“安全”了。字符串是字符串(假设您正在检查用户的类型和传递当然)并且字符串不能自己与对象神奇地交互。

Now if the server you're sending the request to is poorly designed/coded and does not properly sanitize its inputs (user and pass) when inserting into a database for example, then that's an entirely different scenario. However for making the request, there is no security issue here.

现在,如果您发送请求的服务器设计/编码设计不佳,并且在插入数据库时​​没有正确清理其输入(用户和通行证),那么这是完全不同的情况。但是,为了提出请求,这里没有安全问题。

#1


2  

The answer is your code is already "safe." Strings are strings (assuming you are checking the typeof user and pass of course) and strings cannot magically interact with objects by themselves.

答案是你的代码已经“安全”了。字符串是字符串(假设您正在检查用户的类型和传递当然)并且字符串不能自己与对象神奇地交互。

Now if the server you're sending the request to is poorly designed/coded and does not properly sanitize its inputs (user and pass) when inserting into a database for example, then that's an entirely different scenario. However for making the request, there is no security issue here.

现在,如果您发送请求的服务器设计/编码设计不佳,并且在插入数据库时​​没有正确清理其输入(用户和通行证),那么这是完全不同的情况。但是,为了提出请求,这里没有安全问题。