json-sanitizer icon indicating copy to clipboard operation
json-sanitizer copied to clipboard
verified publisher icon OWASP

[Question] Command injection sanitization

Open mathieufortin01 opened this issue 10 months ago • 1 comments

Hey all. This lib is sanitizing a whole set of char sequences, but not those related to command injection (ie shell commands). So using this to sanitize input leaves the command injection vulnerabilities.

Is there a rationale behind this? Should it be part of its responsibilities?

Thanks!

mathieufortin01 avatar Mar 14 '25 14:03 mathieufortin01

The library is just making sure that JSON is well formatted. This is done to protect your JSON parser, which has a history of being attacked from malformed JSON.

To stop command injection or SQL injection that’s not done when you parse JSON. That is done when you put data into a SQL statement with query parameterization. Or when you put data into an OS command with OS specific escaping.

jmanico avatar Mar 14 '25 14:03 jmanico