JSON解析和安全性 [英] JSON parsing and security

问题描述

我们的基础架构正在将Python用于后端的所有内容，并将Javascript用于前端"(这是我们服务于其他站点的库).基础设施的不同组件之间的通信是通过JSON消息完成的.

Our infrastructure is using Python for everything in the backend and Javascript for our "front-end" (it's a library we serve to other sites). The communication between the different components of the infrastructure is done via JSON messages.

在Python中，json.load()和json.dump()是处理JSON字符串的安全方法.在Javascript中，将使用JSON.parse()代替.但是，这些函数只能保证字符串具有正确的JSON格式，对吗?

In Python, json.load() and json.dump() are a safe way of dealing with a JSON string. In Javascript, JSON.parse() would be use instead. But, these functions only guarantee that the string has a proper JSON format, am I right?

如果我担心注入攻击，则需要通过其他方式对JSON的每个字段进行清理.我在这个假设中正确吗?还是仅仅使用前面提到的功能，我们就安全了?

If I'm concerned about injection attacks, I would need to sanitize every field of the JSON by other means. Am I right in this assumption? Or just by using the previously mentioned functions we would be safe?

推荐答案

在没有上下文的情况下，就没有经过净化和未经净化的数据.

There is no such thing as sanitized and unsanitized data, without context.

只有在具有特殊含义的上下文中使用用户控制的数据时，才认为数据是不安全的.

Data is only considered unsafe if user controlled data is used in a context where it has special meaning.

例如在SQL中为'，在HTML中为<script>.

e.g. ' in SQL, and <script> in HTML.

与SQL中的<script>相反，这是完全安全的.

Contrary to <script> in SQL, which is completely safe.

最终的结果是在使用数据时进行编码/清理，而不是在从JSON接收数据时进行编码/消毒.

The upshot is to encode/sanitize when the data is used, not when it is received from JSON.

这篇关于JSON解析和安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！