Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
neuroelectron 6 months ago

Been seeing these same problems in services for decades now. It's almost like they made these protocol languages exploitable on purpose.

CactusRocket 6 months ago | parent | next [-]

I think it's just kinda dumb parsing. E.g. JSON is an extremely simple spec. Most of those issues that the Go JSON parser has, are because of specific choices of the Go implementation, not about JSON. The fact that it allows case-insensitive key matching is just insane. Also that it parses invalid XML documents (with garbage) into valid structs without returning an error is very much a problem with the parser and not with XML.

cesarb 6 months ago | parent [-]

> The fact that it allows case-insensitive key matching is just insane.

It's probably a side effect of what is IMO another bad design of that language: letter casing determining field visibility, instead of using a keyword or a sigil. If your field has to be named "User" to be public, and the corresponding entry in the JSON has all-lowercase "user" as the key (probably because the JSON was defined first, and most languages have "field names start with lowercase" as part of their naming conventions), you have to either ignore case when matching, or manually map every field. They probably wanted to be "intuitive" and not require manual mapping.

jeroenhd 6 months ago | parent | next [-]

> If your field has to be named "User" to be public, and the corresponding entry in the JSON has all-lowercase "user" as the key

then you specify the key to be "user"? Isn't that the point of the ability to remap names? Except you can't, because you don't have a choice whether or not your data is deserialised with case sensitivity enabled or not.

I've written plenty of Rust code to turn camelCase into snake_case and "it's too much effort" has never been a problem. It's a minor bother that helps prevents real security issues like the ones listed in this article.

Even if you want to help lazy programmers, I don't think there's a good reason to confuse "User" and "uſER" by default.

TheDong 6 months ago | parent | prev [-]

I mean, one of the more silly things here is that even when you manually map, with the tag `json:"user"`, it still ignores the case of that while deserializing. It respects it while serializing though

v5v3 6 months ago | parent | prev [-]

Indeed...