search

drogonframework / drogon

Drogon: A C++14/17/20 based HTTP web application framework running on Linux/macOS/Unix/Windows
MIT License
11.39k stars 1.09k forks source link

Is this a bug or by design? null json will crash drogon #2128

Open powof2 opened 1 month ago

powof2 commented 1 month ago

Summary

Drogon(1.9.6) will crash if client sends an invalid/null JSON.

Details

Send this to drogon on windows:

REM in the following request it's body is ill-formed on windows, the correct body
REM is : "{\"username\":\"xyz\",\"password\":\"xyz\"}" on Windows.
curl --header "Content-Type: application/json" --request POST --data `{"username":"xyz","password":"xyz"}` http://localhost:5555/auth/login

And drogon will crash: crash-f256

and here is the drogon console output:

20240816 04:28:55.244000 UTC 21080 DEBUG [main] Load config file - main.cc:18
20240816 04:28:55.246000 UTC 21080 DEBUG [main] running on localhost:5555 - main.cc:22
20240816 04:28:55.290000 UTC 21080 DEBUG [initAndStart] JWT initialized and Start - JwtPlugin.cc:7
20240816 04:29:02.548000 UTC 1324 DEBUG [parseJson] * Line 1, Column 1
  Syntax error: value, object or array expected.
 - HttpRequestImpl.cc:57

D:\path\drogonTest.exe (process 10180) exited with code -1073741819.
Press any key to close this window . . .

Impact

If an null JSON can bring down a server, then all websites backend with Drogon are too vulnerable imo.

I'm wondering: is this a bug or it is designed this way (meaning all web servers in world will crash on receiving a null json) or simply ignored for performance (one less null pointer checking)?

Dich0tomy commented 2 weeks ago

Same with generally unparsable json. If there's no json at all the shared ptr will just be null which is fine, but once someonesends a json that doesnt parse the whole thing just breaks down.

The biggest flaw here is that there's NO WAY to mitigate that, no exception to catch, no bool to check, it just straight up kills the thing...............................

Looking at the code again I think the only way to do that for now is to get the .body() of a request, use some json library to check if it even parses, if no, send back some error or handle that differently, then actually do .jsonBody() to get it.. Which reparses again, but there's no way to mitigate that otherwise.