Fortify error on JSON Injection in Java

java json security gson fortify
shrey mathuria picture shrey mathuria · Apr 12, 2018 · Viewed 13.3k times · Source

I am getting SUBSCRIPTION_JSON from client which I am converting it to String and then setting it to Model Object using gson library. On running the code on Fortify security, It is giving me Json injection error on below code with following message :

Here is the error :

On line 159 of ActionHelper.java, the method jsonToObject() writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.The method writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.

Explanation
JSON injection occurs when:

1. Data enters a program from an untrusted source.

In this case the data enters at getString() in **SubscriptionAction.java** at line 355.


2. The data is written to a JSON stream.

In this case the JSON is written by fromJson() in **ActionHelper.java** at line 159.

SubscriptionAction.java

final String subscriptionJson = subscriptionForm.getString(SUBSCRIPTION_JSON);

ActionHelper.java 

public static <T> T jsonToObject(final String jsonString, final Class<T> className) {
        T object = null;
        if (StringUtils.isNotBlank(jsonString)) {
            final Gson gson = (Gson) BeanLocator.getInstance().getBean(GSON);
            object = gson.fromJson(jsonString, className);
        }
        return object;
    }

SUBSCRIPTION_JSON -> 

{
    "subscriptions": [{
        "attributeId": "1",
        "items": [{
            "strId": "ALL",
            "nodeType": "G"
        }, {
            "strId": "VO_ENTRY_TIMING_DELAY",
            "nodeType": "L"
        }, {
            "strId": "O_INVALID",
            "nodeType": "L"
        }, {
            "strId": "O_LINE_INVALID",
            "nodeType": "L"
        }, {
            "strId": "V_INVALID",
            "nodeType": "L"
        }, {
            "strId": "V_ADDRESS_INVALID",
            "nodeType": "L"
        }]
    }, {
        "attributeId": "2001",
        "items": [{
            "strId": "OSTBU",
            "nodeType": "L"
        }]
    }]
}

Answer

Anil Kumar picture Anil Kumar · Jul 4, 2019

You have to sanitize the JSON before converting it to java object. This is tested solution and it removed this fortify warning.

<dependency>
        <groupId>com.mikesamuel</groupId>
        <artifactId>json-sanitizer</artifactId>
        <version>1.0</version>
</dependency>

InputStream responseBodyAsStream = null;
responseString = EntityUtils.toString(httpResponse.getEntity(),"UTF-8");
String wellFormedJson = com.google.json.JsonSanitizer.sanitize(responseString);

Map map = mapper.readValue(wellFormedJson, Map.class);

Hope this helps..!!

Related questions

How to parse JSON in Java

I have the following JSON text. How can I parse it to get the values of pageName, pagePic, post_id, etc.? { "pageInfo": { "pageName": "abc", "pagePic": "http://example.com/content.jpg" }, "posts": [ { "post_id": "123456789012_123456789012", "actor_id": "1234567890", "picOfPersonWhoPosted": "http://example.com/photo.…

Read More
How to convert jsonString to JSONObject in Java

I have String variable called jsonString: {"phonetype":"N95","cat":"WP"} Now I want to convert it into JSON Object. I searched more on Google but didn't get any expected answers...

Read More
Jackson with JSON: Unrecognized field, not marked as ignorable

I need to convert a certain JSON string to a Java object. I am using Jackson for JSON handling. I have no control over the input JSON (I read from a web service). This is my input JSON: {"wrapper":[{"id":"13","…

Read More