scotty-web / scotty

Haskell web framework inspired by Ruby's Sinatra, using WAI and Warp (Official Repository)
http://hackage.haskell.org/package/scotty
BSD 3-Clause "New" or "Revised" License
1.72k stars 133 forks source link

Configure XSRF prefix for json responses #121

Open alexanderkjeldaas opened 10 years ago

alexanderkjeldaas commented 10 years ago

Angular will automatically strip ")]}',\n" from json responses.

https://docs.angularjs.org/api/ng/service/$http http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx/

sol commented 10 years ago

@alexanderkjeldaas What do you suggest to do here? Do you want a way to register a postprocessor for json responses? E.g.

tranformJSON :: (ByteString -> ByteString) -> ActionM ()

that can then be used like so:

main = scotty 3000 $ do

  tranformJSON (")]}',\n" <>)

  get "/" $ do
    json [23 :: Int, 42]
alexanderkjeldaas commented 10 years ago

Yes, something like that. With a focus on ensuring that it is unlikely that an uprotected json response will be sent in a large application.

sol commented 10 years ago

With a focus on ensuring that it is unlikely that an uprotected json response will be sent in a large application.

What do you have in mind here? AFAIK, sending JSON objectss is fine. So if the user already follows the convention to always wrap things in a top-level object, no mitigation is needed. I assumed it's on the users discretion to enable any form of mitigation.

An other approach would be to check if the provided JSON Value is an object. If it is not an object, we could wrap it (e.g. {"value" : ...}). Not sure if that is desirable?