Open sairus7 opened 1 year ago
@quinnj ping. This is actually a pretty bad security vulnerability. Imagine that we have a server and a client:
# Server
julia> using Oxygen, JSON3, HTTP
julia> # Define a POST route to read JSON data
@post "/data" function(req::HTTP.Request)
# Parse the request body as JSON
json_data = JSON3.read(String(req.body))
# Process the JSON data as needed
println("Received JSON data:", json_data)
# Return a simple response
return Dict("status" => "success", "message" => json_data)
end
julia> serve()
If we send
$ curl -X POST -H "Content-Type: application/json" -d '{"test": 123}' http://127.0.0.1:8080/data
{"status":"success","message":{"test":123}}
This is alright. If we have a file on the server called ~/sensitive.json
which contains
{"super_secret_password": "abcdefg"}
We can send a request such that
$ curl -X POST -H "Content-Type: application/json" -d 'sensitive.json' http://127.0.0.1:8080/data
{"status":"success","message":{"super_secret_password":"abcdefg"}}
See how this is done for TOML for example. It's either parsefile
, tryparsefile
or parse
and tryparse
. The decision of whether it's a file path or a TOML string is done by the caller!
Same for YAML: https://github.com/JuliaData/YAML.jl/blob/master/src/YAML.jl
Cross ref https://github.com/quinnj/JSON3.jl/issues/95
The solutions could be many:
read_file
and read
. One reads a file and the other reads a string with the contents of the files, as TOML and YAML already do. Disallow reading from a file in read
.readfile=false
. Backwards compatible but not really the nicest.read
functionality as-is and add read_file
and read_string
.I'm happy to file a PR once we agree on a solution
Because of this I get read error for any non-existent file, and maybe some incorrect behaviour for file names that match JSON