-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Unsafe" in UnsafeRelaxedJsonEscaping is misleading from a security standpoint, in both directions #87138
Comments
Tagging subscribers to this area: @dotnet/area-system-text-json, @gregsdennis Issue DetailsJSON is defined as a sequence of Unicode characters/code points (see both the RFC and ECMA standard), and as such, correct processing of JSON means all Unicode characters are "safe" to use in JSON. Having the word "Unsafe" in UnsafeRelaxedJsonEscaping is misleading from a security standpoint, in both directions:
There's nothing inherently "Unsafe" about a JSON document that contains characters from other scripts (such as Greek, Hebrew, Arabic, etc.) any more than English. The JSON RFC's security considerations section does not mention any risks with some scripts rather than others. The only risk here is with buggy code, but elsewhere .NET does not generally call something "Unsafe" if it meets the behavior of a standard. For example, we don't call it UnsafeProcess because if you pass an untrusted command line, bad things can happen, or UnsafeXmlSerializer, because if you fail to escape its output in a SQL command, bad things can happen. This terminology impacts the decision customers make. For example, consider a StackOverflow response on this question, and the following comment: By calling this encoding "unsafe," we cause folks to conclude it is, by definition, the wrong answer, rather than understanding that the alternative simply adds an extra layer of defense against failure to encode output properly or bugs in intermediate layers.
The default implementation does not escape * or /. If someone writes JSON as part of a source code file inside a multi-line comment, the JSON text produced by default is not safe - the JSON text can terminate the multi-line comment and be treated as executable source code. The same motivation for calling the other "Unsafe" with regards to embedding JSON in HTML and forgetting to escape it properly applies to the Default implementation, if the use is C/C#/C++ rather than HTML. The possible fixes here include both docs and APIs. In terms of docs, we can update them to make it explicit that "Unsafe" here is misleading and inconsistent. In terms of APIs, the existing "Unsafe" property name likely cannot be removed for back-compat reasons, so I think there are two possible solutions in code:
I tend to prefer the second option, specifically, a new "Unicode" property that does not escape any characters beyond the required ones (as suggested in #86800).
|
Also fixes dotnet#86800. Also fixes dotnet#87138 (except docs outside this repo).
Closing in favor of #87153. |
JSON is defined as a sequence of Unicode characters/code points (see both the RFC and ECMA standard), and as such, correct processing of JSON means all Unicode characters are "safe" to use in JSON.
Having the word "Unsafe" in UnsafeRelaxedJsonEscaping is misleading from a security standpoint, in both directions:
There's nothing inherently "Unsafe" about a JSON document that contains characters from other scripts (such as Greek, Hebrew, Arabic, etc.) any more than English. The JSON RFC's security considerations section does not mention any risks with some scripts rather than others. The only risk here is with buggy code, but elsewhere .NET does not generally call something "Unsafe" if it meets the behavior of a standard. For example, we don't call it UnsafeProcess because if you pass an untrusted command line, bad things can happen, or UnsafeXmlSerializer, because if you fail to escape its output in a SQL command, bad things can happen.
This terminology impacts the decision customers make. For example, consider a StackOverflow response on this question, and the following comment:
"Using an "unsafe" encoding is not the answer, the answer from ahsonkhan is correct"
By calling this encoding "unsafe," we cause folks to conclude it is, by definition, the wrong answer, rather than understanding that the alternative simply adds an extra layer of defense against failure to encode output properly or bugs in intermediate layers.
The default implementation does not escape * or /. If someone adds JSON output as part of a generated source file inside a multi-line comment, the JSON text produced by default is not safe - the JSON text can terminate the multi-line comment and be treated as executable source code. The same motivation for calling the other "Unsafe" with regards to embedding JSON in HTML and forgetting to escape it properly applies to the Default implementation, if the use is C/C#/C++ rather than HTML.
The possible fixes here include both docs and APIs.
In terms of docs, we can update them to make it explicit that "Unsafe" here is misleading and inconsistent.
In terms of APIs, the existing "Unsafe" property name likely cannot be removed for back-compat reasons, so I think there are two possible solutions in code:
I tend to prefer the second option, specifically, a new "Unicode" property that does not escape any characters beyond the required ones (as suggested in #86800).
The text was updated successfully, but these errors were encountered: