[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: Stick with XML ... JSON is a minefield of security risks a

  • From: Michael Kay <mike@saxonica.com>
  • To: "Costello, Roger L." <costello@mitre.org>
  • Date: Wed, 2 Nov 2016 11:35:46 +0000

Re:  Stick with XML ... JSON is a minefield of security risks a
To be fair, the paper is very unoriginal. As far as I can see all the weak points in the JSON specification have been known for years (e.g., unpaired surrogates, out-of-range numerics, duplicate keys, etc). Tim Bray's RFC 7159 documents all these issues and advises what software that reads or writes JSON should do to avoid interoperability problems, and all this paper does is to demonstrate what goes wrong if you don't follow Tim's advice. Many of the things in the paper are nothing to do with the spec, and are just bugs in implementations.

Michael Kay
Saxonica


On 2 Nov 2016, at 11:18, Costello, Roger L. <costello@mitre.org> wrote:

Hi Folks,

 

Excellent paper on JSON at last week’s Soft-Shake Conference in Geneva. (http://seriot.ch/parsing_json.html)

 

Below are some extracts from the paper.

 

But first, a lesson learned:

Simple is good but a simple, incomplete specification,

such as the JSON specification, leads to security flaws,

lack of interoperability, crashes and denial of services.

Sometimes simple specifications just mean

hidden complexity.

 

Out of over 30 JSON parsers, no two parsers parsed the same set of documents the same way.

 

JSON is not the easy, idealized format as many do believe.

 

Edge cases and maliciously crafted payloads can cause bugs, crashes and denial of services, mainly because JSON libraries rely on specifications that have evolved over time and that left many details loosely specified or not specified at all.

 

The conciseness of the grammar leaves many aspects undefined.

 

I [the author of the paper] wrote a corpus of JSON test files and documented how selected JSON parsers chose to handle these files … There were no two parsers that exhibited the same behavior, which may cause serious interoperability issues.

 

JSON is not a data format you can rely on blindly. I've demonstrated this by showing that the standard definition is spread out over at least six different documents (section 1), that the latest and most complete document, RFC-7159, is imprecise and contradictory (section 2), and by crafting test files that out of over 30 parsers, no two parsers parsed the same set of documents the same way (section 4).

 

As a final word, I keep on wondering why "fragile" formats such as HTML, CSS and JSON, or "dangerous" languages such as PHP or _javascript_ became so immensely popular. This is probably because they are easy to start with by tweaking contents in a text editor, because of too liberal parsers or interpreters, and seemingly simple specifications. But sometimes, simple specifications just mean hidden complexity.

 




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]


PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
 

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.


Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.