Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security checks for Json() #25

Open
tamalsaha opened this issue Mar 21, 2019 · 3 comments
Open

Security checks for Json() #25

tamalsaha opened this issue Mar 21, 2019 · 3 comments

Comments

@tamalsaha
Copy link

tamalsaha commented Mar 21, 2019

In Go's net/http ParseForm() method, the following checks are done:
https://github.com/golang/go/blob/700e969d5b23732179ea86cfe67e8d1a0a1cc10a/src/net/http/request.go#L1176

// For other HTTP methods, or when the Content-Type is not
// application/x-www-form-urlencoded, the request Body is not read, and
// r.PostForm is initialized to a non-nil, empty value.
//
// If the request Body's size has not already been limited by MaxBytesReader,
// the size is capped at 10MB.

Should the similar checks in Request body be done in Json() method, too?

  1. Check that request body content type is application/json ?
  2. Limit request body size to 10MB ?
@unknwon
Copy link
Contributor

unknwon commented Mar 21, 2019

JSON is stream parse, but form parse needs pre-read in https://github.com/golang/go/blob/700e969d5b23732179ea86cfe67e8d1a0a1cc10a/src/net/http/request.go#L1130:6 . MaxBytesReader is sufficient enough.

@tamalsaha
Copy link
Author

Sorry, I don't follow. Are you saying that Json() should use a MaxBytesReader to limit excess read?

@unknwon
Copy link
Contributor

unknwon commented Mar 22, 2019

In conclusion, yes!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

2 participants