pmuellr is Patrick Mueller, Senior Node Engineer at NodeSource.

other pmuellr thangs: home page, twitter, flickr, github

Tuesday, March 06, 2007

JSON array vulnerability

Robert Yates points to an odd vulernability of JSON, in at least Firefox, having to do with an overwritten, user-supplied Array constructor. Sigh.

Some thoughts:

  • I don't like JSON because it happens to be directly eval()-able by JavaScript (and maybe Python). I like it because it's fairly consise, textual, and contains the bare minimum set of primitive and composite data structures from which all manner of useful data structures can be built. Having it be eval()-able was just a nice-to-have. I have recommended to people they should never use eval() though. There are JSON decoders available for JSON. Do you really want to be subject to someone injecting a function invocation into your datastream?
  • Although I like JSON because it's consise, it can actually be made more consise, although rendering not legal JavaScript anymore. Perhaps that would be a good thing. :-) For instance, the commas separating array elements and key/value pairs seem to be completely extraneous. Likewise, quoting keys, for keys that contain non-special characters, is overkill. Fixing both of these would make JSON a lot more readable:

    Legal JSON:

    { "Image": { "Width":800, "Height":600, "Title":"View from 15th Floor", "Thumbnail": { "Url":"", "Height": 125, "Width": "100" }, "IDs":[ 116, 943, 234, 38793 ] } }

    Consise-r JSON:

    { Image: { Width:800 Height:600 Title:"View from 15th Floor" Thumbnail: { Url:"" Height: 125 Width: "100" } IDs:[ 116 943 234 38793 ] } }
  • Joe Walker notes the Array constructor vulnerability only occurs for JSON which has a top level array, and not for arrays included in a top level object, presumably because the interpreter balks at the object notation, considering it a code block instead. A code block with a quoted string followed by a colon in it, which is not legal JavaScript for a code block. However, I was able to get a JSON object, without quoted keys, to kick off the Array constructor vulnerability. Now I see why quoted keys are important. Presumably the non-quoted key looked like a code label. Did you know JavaScript has labels?
  • Uncle Ben says: "With great power ....". Sure, it's really nice to be able to add methods to built-in classes, override existing methods / constructors (classes), but ... there's a cost. I'm not sure the cost is worth it. Perhaps it's time we started thinking about moving some of the wild west capabilities out of JavaScript, or at least out of user-land JavaScript. Steve Northover had a great presentation years ago on the dangers of class extension in Smalltalk; for you youngsters, that would be the ability to add methods, etc to existing classes. One of the few things I dislike about Ruby. I should see if he still has that presentation around somewhere.
  • Perhaps it's time to take another look at YAML.
  • Flex is looking better every day.

As a complete aside, Robert added the info about the vulnerability in an update to a previous blog entry. That update never showed up as an update in Google Reader. Maybe because it's RSS, and not Atom? Bummer. Somehow Robert Sayre noticed the update, and I noticed Robert's entry.

No comments: