Broken JSON serialization and JSON injection vulnerability #12
Comments
|
Is there a reason why you don't just use Jackson or GSON for handling JSON? |
|
Hi, |
|
I second this, any particular reason for using a custom JSON serializer when we have already have some amazing serializations libraries. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
General information
Issue description
The JSON serializer implementation does not properly JSON-encode string values. In fact, they are not encoded at all. See this critical line that constructs the JSON value (the right part after the colon) by just quoting the input string value and otherwise copying it unchanged:
https://github.com/paypal/paypalhttp_java/blob/master/paypalhttp/src/main/java/com/paypal/http/serializer/Json.java#L133
Combined with user-provided data, this allows JSON injection that leads to security vulnerabilities in the Checkout-Java-SDK library (e.g. manipulating
OrdersCreateRequestvia injection in user-provided address data) when no additional security measures are in place (e.g. restricting character sets or input lengths).I created a commit on a forked repo that shows this defect with two failing tests: j13z@3dce573
The text was updated successfully, but these errors were encountered: