binding icon indicating copy to clipboard operation
binding copied to clipboard
verified publisher icon go-macaron

Security checks for Json()

Open tamalsaha opened this issue 6 years ago • 3 comments

In Go's net/http ParseForm() method, the following checks are done: https://github.com/golang/go/blob/700e969d5b23732179ea86cfe67e8d1a0a1cc10a/src/net/http/request.go#L1176

// For other HTTP methods, or when the Content-Type is not // application/x-www-form-urlencoded, the request Body is not read, and // r.PostForm is initialized to a non-nil, empty value. // // If the request Body's size has not already been limited by MaxBytesReader, // the size is capped at 10MB.

Should the similar checks in Request body be done in Json() method, too?

  1. Check that request body content type is application/json ?
  2. Limit request body size to 10MB ?

tamalsaha avatar Mar 21 '19 18:03 tamalsaha

JSON is stream parse, but form parse needs pre-read in https://github.com/golang/go/blob/700e969d5b23732179ea86cfe67e8d1a0a1cc10a/src/net/http/request.go#L1130:6 . MaxBytesReader is sufficient enough.

unknwon avatar Mar 21 '19 19:03 unknwon

Sorry, I don't follow. Are you saying that Json() should use a MaxBytesReader to limit excess read?

tamalsaha avatar Mar 21 '19 22:03 tamalsaha

In conclusion, yes!

unknwon avatar Mar 22 '19 00:03 unknwon