Skip to content
This repository has been archived by the owner on Nov 8, 2023. It is now read-only.

Valid JSON is blocked by Rule ID 15 #457

Closed
Punamu opened this issue Feb 20, 2019 · 6 comments · Fixed by wargio/naxsi#63
Closed

Valid JSON is blocked by Rule ID 15 #457

Punamu opened this issue Feb 20, 2019 · 6 comments · Fixed by wargio/naxsi#63
Assignees
@buixor
Labels
bug

Comments

@Punamu
Copy link

Punamu commented Feb 20, 2019
edited
Loading

Hi,

I have noticed, that the internal rule ID 15 blocks valid JSON bodies.

The following POST-bodies were tested on naxsi version 0.56 (nginx 1.10.3):

null, true, 1337, "some string", ["array", "of", "strings"], [{"test":123},{"test":123}]

It seems that only JSON objects like {"test":123} are passed through.
@buixor
Copy link
Contributor

buixor commented Mar 14, 2019

Hey @Punamu thanks for the issue, gonna have a quick look into it :)

@buixor buixor self-assigned this Mar 14, 2019
@buixor
Copy link
Contributor

buixor commented Mar 21, 2019

I did some tests and can confirm the issue.
I will keep you posted as soon as I have time to work on it.

In the meanwhile, if you feel diving into the json parser, feel free to do so, the code is in a separate file and rather trivial naxsi_json.c

@buixor buixor mentioned this issue May 7, 2019
Closed
@buixor buixor added the bug label May 7, 2019
@squedgy squedgy mentioned this issue Nov 15, 2019
Merged
wargio pushed a commit that referenced this issue Feb 12, 2020
@squedgy
Fixed issue #457 (#482)
15e58c3 
* Setup json scanning to allow for arrays as the parent type

* rather than assuming an object, just validate any json value

* keep as close to the original as possible

* Since all the validation comes within val we don't need to increment off. Initial tests seemed to work

* Fix formatting issue
@wargio wargio closed this as completed Feb 12, 2020
wargio referenced this issue in wargio/naxsi Mar 5, 2022
@squedgy @wargio
Fixed issue #457 (#482)
9372bff 
* Setup json scanning to allow for arrays as the parent type

* rather than assuming an object, just validate any json value

* keep as close to the original as possible

* Since all the validation comes within val we don't need to increment off. Initial tests seemed to work

* Fix formatting issue
@phoenixstudiodz
Copy link

Hello, I found another bug in the same file, it seems that it also cause blocking valid JSON, file was naxsi_json.c, in my case it was Number inside JSON sent from an Android app, the Number had values like 1.2E-10, it seems that the code checks only for 'e' and not 'E', the fix in my case was changing this line *(js->src + js->off) == 'e') && to *(js->src + js->off) == 'e' || *(js->src + js->off) == 'E') &&

@wargio
Copy link
Contributor

wargio commented Dec 14, 2022

nice find. i will fix it!

@wargio wargio mentioned this issue Dec 14, 2022
Merged
@wargio
Copy link
Contributor

wargio commented Dec 14, 2022

@phoenixstudiodz this has been fixed here: wargio/naxsi@a96f12c
Please beware that if you are using this repo, the current code is very broken and abandoned. If you want to keep receiving support and bugfixes please use my fork/repo.

@phoenixstudiodz
Copy link

OK, great, Thank you @wargio

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@buixor buixor

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixed json number validation loop to support properly exponentials wargio/naxsi
4 participants
@wargio @buixor @Punamu @phoenixstudiodz