Data from one API to another API of the SDK needs Sanitization and Validation

[ericwolz]

Improper Input Validation (CWE-20) inside Trust Boundary: • Data from one API to another API of the SDK needs Sanitization and Validation, for future safety concerns.

All internal APIs should be reviewed for proper input validation

• File : src\azure\core\az_json_writer.c • API : _az_validate_json( ) • Lines : 717 – 750 • Issue : Improper Input Validation is Missing for: • json_text • last_token_kind • Caller Graph:

[ahsonkhan]

There is only one caller of this internal method, and it is guaranteed to call it correctly, but we should add a null precondition check on last_token_kind for maintainability and consistency.

The need for json_text validation is interesting. The JSON reader init method does the precondition validation already. Is the ask to duplicate such validation? That's doable, but it seems unnecessary, and looks like a restriction of the detection tool.

Is there a way to opt-out of specific instances of false positives, based on context and code inspection?

[ahsonkhan]

The need for json_text validation is interesting. The JSON reader init method does the precondition validation already. Is the ask to duplicate such validation? That's doable, but it seems unnecessary, and looks like a restriction of the detection tool.

After discussing with @ericwol-msft, this is discovered through manual code inspection, so regarding json_text we landed on adding a comment stating that the reader init method does the appropriate validation, and not to duplicate the precondition, unnecessarily.