drogon icon indicating copy to clipboard operation
drogon copied to clipboard
verified publisher icon drogonframework

Is this a bug or by design? null json will crash drogon

Open powof2 opened this issue 1 year ago • 2 comments

Summary

Drogon(1.9.6) will crash if client sends an invalid/null JSON.

Details

Send this to drogon on windows:

REM in the following request it's body is ill-formed on windows, the correct body
REM is : "{\"username\":\"xyz\",\"password\":\"xyz\"}" on Windows.
curl --header "Content-Type: application/json" --request POST --data `{"username":"xyz","password":"xyz"}` http://localhost:5555/auth/login

And drogon will crash: crash-f256

and here is the drogon console output:

20240816 04:28:55.244000 UTC 21080 DEBUG [main] Load config file - main.cc:18
20240816 04:28:55.246000 UTC 21080 DEBUG [main] running on localhost:5555 - main.cc:22
20240816 04:28:55.290000 UTC 21080 DEBUG [initAndStart] JWT initialized and Start - JwtPlugin.cc:7
20240816 04:29:02.548000 UTC 1324 DEBUG [parseJson] * Line 1, Column 1
  Syntax error: value, object or array expected.
 - HttpRequestImpl.cc:57

D:\path\drogonTest.exe (process 10180) exited with code -1073741819.
Press any key to close this window . . .

Impact

If an null JSON can bring down a server, then all websites backend with Drogon are too vulnerable imo.

I'm wondering: is this a bug or it is designed this way (meaning all web servers in world will crash on receiving a null json) or simply ignored for performance (one less null pointer checking)?

powof2 avatar Aug 17 '24 05:08 powof2

Same with generally unparsable json. If there's no json at all the shared ptr will just be null which is fine, but once someonesends a json that doesnt parse the whole thing just breaks down.

The biggest flaw here is that there's NO WAY to mitigate that, no exception to catch, no bool to check, it just straight up kills the thing...............................

Looking at the code again I think the only way to do that for now is to get the .body() of a request, use some json library to check if it even parses, if no, send back some error or handle that differently, then actually do .jsonBody() to get it.. Which reparses again, but there's no way to mitigate that otherwise.

Dich0tomy avatar Sep 02 '24 19:09 Dich0tomy

I believe this issue here is not accurate for Drogon in general. Here is an example of working and i believe intended behavior of sending ill-formed JSON body to Drogon 1.9.8:

20250101 10:01:26.400880 UTC 4009340 DEBUG [parseJson] * Line 1, Column 1
  Syntax error: value, object or array expected.
 - HttpRequestImpl.cc:57

Its the same line of code, same output, but doesn't crash (on Ubuntu 24.04).

This was the ill-formed example used to produce above print:

curl -X POST http://localhost:8000/files/upload \                                                                              ✔ │ NORMAL │ 11:01:15
-H "Content-Type: application/json" \
-d '}'

In this example, my controller handler is not even called, not even any filter.

In the screenshot you showed, that code is from jsoncpp, not Drogon directly. Not sure whats going on in your case, perhaps its something that was fixed between 1.9.6 and 1.9.8, or something wrong with your platform (Windows). In any case, i believe its not a flaw of Drogon in general, and surely, production webservers don't just go down because someone sends some ill-formed JSON.

iaamp avatar Jan 01 '25 10:01 iaamp

It was almost a year later that I realized the crash occurred in my own authorization controller. I could simply check if the jsonPtr is empty before dereferencing it to solve this problem.

powof2 avatar Jul 30 '25 16:07 powof2