Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security checks for Json() #25

Open
tamalsaha opened this issue Mar 21, 2019 · 3 comments
Open

Security checks for Json() #25

tamalsaha opened this issue Mar 21, 2019 · 3 comments
Labels
feedback needed

Comments

@tamalsaha
Copy link

tamalsaha commented Mar 21, 2019
edited

In Go's net/http ParseForm() method, the following checks are done:
https://github.com/golang/go/blob/700e969d5b23732179ea86cfe67e8d1a0a1cc10a/src/net/http/request.go#L1176

// For other HTTP methods, or when the Content-Type is not
// application/x-www-form-urlencoded, the request Body is not read, and
// r.PostForm is initialized to a non-nil, empty value.
//
// If the request Body's size has not already been limited by MaxBytesReader,
// the size is capped at 10MB.

Should the similar checks in Request body be done in Json() method, too?

  1. Check that request body content type is application/json ?
  2. Limit request body size to 10MB ?
@unknwon
Copy link
Contributor

unknwon commented Mar 21, 2019

JSON is stream parse, but form parse needs pre-read in https://github.com/golang/go/blob/700e969d5b23732179ea86cfe67e8d1a0a1cc10a/src/net/http/request.go#L1130:6 . MaxBytesReader is sufficient enough.

@tamalsaha
Copy link
Author

Sorry, I don't follow. Are you saying that Json() should use a MaxBytesReader to limit excess read?

@unknwon
Copy link
Contributor

unknwon commented Mar 22, 2019

In conclusion, yes!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feedback needed
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tamalsaha @unknwon