scotty

scotty copied to clipboard

Angular will automatically strip ")]}',\n" from json responses.

https://docs.angularjs.org/api/ng/service/$http http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx/

@alexanderkjeldaas What do you suggest to do here? Do you want a way to register a postprocessor for json responses? E.g.

tranformJSON :: (ByteString -> ByteString) -> ActionM ()

that can then be used like so:

main = scotty 3000 $ do

  tranformJSON (")]}',\n" <>)

  get "/" $ do
    json [23 :: Int, 42]

Yes, something like that. With a focus on ensuring that it is unlikely that an uprotected json response will be sent in a large application.

With a focus on ensuring that it is unlikely that an uprotected json response will be sent in a large application.

What do you have in mind here? AFAIK, sending JSON objectss is fine. So if the user already follows the convention to always wrap things in a top-level object, no mitigation is needed. I assumed it's on the users discretion to enable any form of mitigation.

An other approach would be to check if the provided JSON Value is an object. If it is not an object, we could wrap it (e.g. {"value" : ...}). Not sure if that is desirable?