Re: [Json] Nested JSON encoding style too likely to be insecure

Phillip Hallam-Baker <ietf@hallambaker.com> Tue, 23 February 2016 13:21 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA52D1B2BD7 for <json@ietfa.amsl.com>; Tue, 23 Feb 2016 05:21:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ug6fmt2Eu32V for <json@ietfa.amsl.com>; Tue, 23 Feb 2016 05:21:13 -0800 (PST)
Received: from mail-lb0-x230.google.com (mail-lb0-x230.google.com [IPv6:2a00:1450:4010:c04::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 855B91B2BD4 for <json@ietf.org>; Tue, 23 Feb 2016 05:21:13 -0800 (PST)
Received: by mail-lb0-x230.google.com with SMTP id bc4so100599918lbc.2 for <json@ietf.org>; Tue, 23 Feb 2016 05:21:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=JTafPuQKaILDo89/eP8bnejaR5SbxqbYzNIPo8VNQWc=; b=Rb/O0lq7BQl2VsNlfAIcLwhkj3gpp1wGNfZCm2GJ8R92IR2WwiPGVTFS1+VWMSf62Y vt60wIIwoJj/q8aMOph7oqZ98ihZzKrYHfekXBFgfjVLe5cGoOtidIarGlX3HqCRNk71 mSOFpFN/F3ap7Apx4wAHGE43Syqzc7scegbph9NW3JMM9Ns0aqTb+K/mC6iTieuEuNq0 UvoVJnu1NdoDINE7kEn/XfmXg8frVFXlTmHpH71rFiV6xcbenXyCfbyPIO+uTf5G8Ah9 G4/BhoNMzMljyIBcp5/r4HW/pLc+p50ZUk/EgdopMtqGRGecQqcAs1/fCfKi39RcIo8b vmtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=JTafPuQKaILDo89/eP8bnejaR5SbxqbYzNIPo8VNQWc=; b=X0spJIpxiwrYZGhXS3ALN7qeQgX8oaGdaI+YsroB5l4GDP/0oQp5N0zTtQ6h6FcStt zAFwdukWf0WLY7TwaFwtdJEjYRB9/AsaYfcnKaEBP/IDUjOFbf7LRWPZ5vdziODz2dL7 ZOlzjaKziAEeGMbn3dAd1KiFGszcSy4pqS0Atp84bANSIniBFcq8guKr9vkAis5FaAfE +GWNanYioAeRXS4BG/DadmGBmAOKDKQOxfUH/mefPdA0HzIvfgdXz2QtCbF29TI0/MmH Iznin8zQ5XD1qlzaj/HxFhopKzQcoW2vIdnSTzjQqM+drgXXW1Wmy5em4hX51Kx8jd5B 7GkA==
X-Gm-Message-State: AG10YOTx97wKEiohuw7mnYv7woqMEtPGjhWctiyZyxrybAN88G2D2VPJ3lpo3xRHrGT1TgS8jQQimDuso0woEA==
MIME-Version: 1.0
X-Received: by 10.112.30.144 with SMTP id s16mr12245935lbh.112.1456233671758; Tue, 23 Feb 2016 05:21:11 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.49.80 with HTTP; Tue, 23 Feb 2016 05:21:11 -0800 (PST)
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E13BBADBF6C2@WSMSG3153V.srv.dir.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E13BBADBF674@WSMSG3153V.srv.dir.telstra.com> <CAMm+LwjwWEmJqcicdwZ+fE3+XMamoDF8RfCMLRz75MpFB=tiWg@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E13BBADBF6C2@WSMSG3153V.srv.dir.telstra.com>
Date: Tue, 23 Feb 2016 08:21:11 -0500
X-Google-Sender-Auth: w3VUmKv5GZfOKglcWG2S_AbhTQ4
Message-ID: <CAMm+LwgsOMFGv3Ts=CZghwwdv2teiviDCC+0E2u4EO+S5WR3Tw@mail.gmail.com>
From: Phillip Hallam-Baker <ietf@hallambaker.com>
To: "Manger, James" <James.H.Manger@team.telstra.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/json/8g10Lt4SRuKJDX2azNrN_ajEUnQ>
Cc: "json@ietf.org" <json@ietf.org>
Subject: Re: [Json] Nested JSON encoding style too likely to be insecure
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/json/>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2016 13:21:15 -0000

On Tue, Feb 23, 2016 at 1:08 AM, Manger, James
<James.H.Manger@team.telstra.com> wrote:
>> You need to limit the toplevel to one element. That is fairly easy to do though.
>
> Easy to do; but even easier not to do. Does your code already do this?
> This is not the sort of check I want to rely on developers making. It is not obvious that the check is needed; certainly not from looking at a few sample messages.
>
> Checking there is only 1 top-level element can't be done until you get to the end of the first element’s value — which seems to clash with your rationale for the nested style.
>
> A JSON array still looks better.

Lets look at the 'attack' you are proposing here - a maliciously
formatted request. Does it really make sense?

This isn't the normal buffer overrun type malicious request, you are
postulating one of the requests is valid and the other isn't. How is
an attacker meant to inject the second attack?