I have a JSON string from response to REST API which I am trying to deserialize into an ObjectNode in Jackson like below.
String response = webservice(...);
ObjectNode jsonObj = new ObjectMapper().readTree(response);
In our static scan of the source code, it found vulnerability to JSON injection that this call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.
How can I make sure to protect against JSON injection?
Related
I have a post rest api in spring boot. I am sending the password string in json payload for this api. While deserializing using jackson, I am using the String field in Request Dto class. Since, it is not secure I would like to know if there is way to deserialize the password string in json to guarded string implementation.
Guarded String Url : https://docs.oracle.com/html/E28160_01/org/identityconnectors/common/security/GuardedString.html
Or is. there a way to deserialize the string json to char array using jackson annotations.
I want to deserialize json string by using Gson. I am getting a json from a web service ResponseEntity which I am converting it to String and then setting it to Model Object using gson library. On running the code on Fortify security, It is giving me Json injection error on below code with following message :
The data is written to a JSON stream. In this case the JSON is written
by fromJson()
Gson gson = new Gson();
MyObject obj = gson.fromJson(jsonString, MyObject.class);
Any solution?
I have a rest service which returns a JSON String. Rest service will process request and return JSON string's schema is unpredictable. What approach can I take to parse this kind of JSON string to a Pojo or Domain object?
e.g : Rest service can return JSON String which represent Address, Bank Account Info, Employee Details etc.
There is nothing common in all these JSON response.
My current approach is to return a header with ResponeType in it. Wondering if there is a better way.
You can read the json tree and based on the root node key name, decide on using a corresponding class to use for parsing. This is how it will look like with Jackson:
ObjectMapper mapper = new ObjectMapper();
JsonNode rootNode = mapper.readTree(json);
if(rootNode.get("type1") != null) {
//parse with type1
}
....so on
Can someone point me to the correct way to convert xml into json with jackson?
I have one service that accepts a post request with an xml body, I want to take that xml and send it to another service as a json.
I've seen some examples where people use an ObjectMapper, but ideally, I would have an interface ModelJsonView and then use the setMixInAnnotation() method to bind it to the corresponding model class.
Try this:
String xml = "<testName>Tester</testName><testValue>100</testValue>"
JSONObject xmlToJsonObject = XML.toJSONObject(xml);
ObjectMapper mapper = new ObjectMapper();
mapper.enable(SerializationFeature.INDENT_OUTPUT);
Object json = mapper.readValue(xmlToJsonObject.toString(), Object.class);
System.out.println(mapper.writerWithDefaultPrettyPrinter().writeValueAsString(json));
Include org.json and jackson jars.
I have a restful web service(JAVA) which has to accept JSON requests. I have to first validate this JSON against a JSON schema that I have.
I'm not sure what is the best JAVA library to validate JSON again JSON schemas.
I have used json-schema-validator-2.1.7 library but it has not been very helpful. Even thought my JSON is not a valid JSON I do not get any errors.
Here is the code I use for json-schema-validator-2.1.7
InputStream jsonSchemaInputStream = Assessment.class.getClassLoader().getResourceAsStream("Schemas/AssessmentMetrics.json");
ObjectMapper mapper = new ObjectMapper();
// Allows to retrieve a JSONSchema object on various sources
// supported by the ObjectMapper provided
JSONSchemaProvider schemaProvider = new JacksonSchemaProvider(mapper);
// Retrieves a JSON Schema object based on a file
JSONSchema schema = schemaProvider.getSchema(jsonSchemaInputStream);
// Validates a JSON Instance object stored in a file
List<String> errors = schema.validate(contents);
Projects worth exploring:
https://github.com/java-json-tools/json-schema-validator
https://github.com/everit-org/json-schema
https://github.com/networknt/json-schema-validator
Here is a nice list.
Here is an online sandbox.
I'm biased with jackson for all things JSON.
https://github.com/FasterXML/jackson-module-jsonSchema