fix(builtins): prevent JSON injection in HTTP build_json_body#1007
Merged
fix(builtins): prevent JSON injection in HTTP build_json_body#1007
Conversation
…_json_body Closes #1000 — build_json_body was constructing JSON via string formatting without escaping special characters, allowing injection of arbitrary JSON fields. Now uses serde_json::Value::String for proper escaping.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
build_json_bodywithserde_jsonfor proper JSON escaping",\, newlines, or other special characters are now safely escapedWhat & Why
build_json_bodyconstructed JSON viaformat!("\"{}\"", v)without escaping, allowing injection of arbitrary JSON fields (e.g.,name='test","admin":true'would inject anadminfield). Now usesserde_json::Value::Stringwhich handles all escaping correctly.Tests Added
test_json_body_escapes_quotes— verifies injection attempt is neutralizedtest_json_body_escapes_backslash_and_newline— verifies control chars are escapedtest_json_body_raw_field_unchanged— verifies raw fields still workCloses #1000