This post has been de-listed
It is no longer included in search results and normal feeds (front page, hot posts, subreddit posts, etc). It remains visible only via the author's post history.
5
How to fix JSON Deserialization issues?
Post Flair (click to view more posts with a particular flair)
Post Body
How are you guys dealing with JSON deserialization issue of untrusted data?
We have a number of these in our SAST tool, what are the recommendations here, just "sanitizing" inputs is tricky as it's not as simple as use alphanumeric only, etc. E.g. say we have a service that takes the HTTP POST body serializes it and it goes somewhere else to be deserialized. What are the recommendations to mark this as not exploitable?
- Ensure data is trusted, if it's hardcoded files or trusted servers, we could potentially accept this. If it is actually user-controlled, what kind of sanitization checks are possible here?
- Use TypeNameHandling's None value, if possible - would this alone satisfy to mark it as not exploitable? Ref: https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca2326
- Use Custom SerializationBinder if you know the types - would this alone satisfy to mark it as not exploitable?
A bit lost on this one, what do you do in your organization?
Author
Account Strength
70%
Account Age
3 years
Verified Email
Yes
Verified Flair
No
Total Karma
783
Link Karma
397
Comment Karma
274
Profile updated: 5 days ago
Subreddit
Post Details
We try to extract some basic information from the post title. This is not
always successful or accurate, please use your best judgement and compare
these values to the post title and body for confirmation.
- Posted
- 7 months ago
- Reddit URL
- View post on reddit.com
- External URL
- reddit.com/r/AskNetsec/c...