Open powof2 opened 1 month ago
Same with generally unparsable json. If there's no json at all the shared ptr will just be null which is fine, but once someonesends a json that doesnt parse the whole thing just breaks down.
The biggest flaw here is that there's NO WAY to mitigate that, no exception to catch, no bool to check, it just straight up kills the thing...............................
Looking at the code again I think the only way to do that for now is to get the .body()
of a request, use some json library to check if it even parses, if no, send back some error or handle that differently, then actually do .jsonBody()
to get it.. Which reparses again, but there's no way to mitigate that otherwise.
Summary
Drogon(1.9.6) will crash if client sends an invalid/null JSON.
Details
Send this to drogon on windows:
And drogon will crash:
and here is the drogon console output:
Impact
If an null JSON can bring down a server, then all websites backend with Drogon are too vulnerable imo.
I'm wondering: is this a bug or it is designed this way (meaning all web servers in world will crash on receiving a null json) or simply ignored for performance (one less null pointer checking)?