I have Java Spring-boot project that basically have all APIs to perform business logic and send data to UI. We have used MappingJackson2HttpMessageConverter -> JsonPrefix to attach some prefix to make JSON invalid as per the VAPT findings to resolve application vulnerability. Code for the same is as below
@Configuration
@EnableWebMvc
public class WebConfig implements WebMvcConfigurer {
@Override
public void configureMessageConverters(List<HttpMessageConverter<?>> converters) {
MappingJackson2HttpMessageConverter converter = new MappingJackson2HttpMessageConverter();
converter.setJsonPrefix(")]}',\n");
converters.add(new StringHttpMessageConverter());
converters.add(converter);
}
}
This works corrects and provides response as expected. attaching one sample response
)
]
}',
{"error":null,"status":200,"message":"Success","body:{"id":null,"is_api_available":false}}
Now the problem is there is some requirement where in particular 2-3 APIs, I dont want this prefix to come. So is there any way to achieve the same?
I Tried looking into the MappingJackson2HttpMessageConverter methods if there is any way, but I didnt found any. Also i tried to print value of List<HttpMessageConverter<?>> converters so if i can get any particular info, so i can keep any condition, but nothing worked.
Update:
As suggested by @being_ethereal, it worked. just a small difference of method parameter changes due to change in versions.
In my case writePrefix method was overriden in below way.
@Override
protected void writePrefix(JsonGenerator generator, Object object) throws IOException {
if (!excludedApis.contains(request.getRequestURI())) {
generator.writeRaw(")]}',\n");
}
}
I have Java Spring-boot project that basically have all APIs to perform business logic and send data to UI. We have used MappingJackson2HttpMessageConverter -> JsonPrefix to attach some prefix to make JSON invalid as per the VAPT findings to resolve application vulnerability. Code for the same is as below
@Configuration
@EnableWebMvc
public class WebConfig implements WebMvcConfigurer {
@Override
public void configureMessageConverters(List<HttpMessageConverter<?>> converters) {
MappingJackson2HttpMessageConverter converter = new MappingJackson2HttpMessageConverter();
converter.setJsonPrefix(")]}',\n");
converters.add(new StringHttpMessageConverter());
converters.add(converter);
}
}
This works corrects and provides response as expected. attaching one sample response
)
]
}',
{"error":null,"status":200,"message":"Success","body:{"id":null,"is_api_available":false}}
Now the problem is there is some requirement where in particular 2-3 APIs, I dont want this prefix to come. So is there any way to achieve the same?
I Tried looking into the MappingJackson2HttpMessageConverter methods if there is any way, but I didnt found any. Also i tried to print value of List<HttpMessageConverter<?>> converters so if i can get any particular info, so i can keep any condition, but nothing worked.
Update:
As suggested by @being_ethereal, it worked. just a small difference of method parameter changes due to change in versions.
In my case writePrefix method was overriden in below way.
@Override
protected void writePrefix(JsonGenerator generator, Object object) throws IOException {
if (!excludedApis.contains(request.getRequestURI())) {
generator.writeRaw(")]}',\n");
}
}
- How does creating invalid JSON resolve a VAPT issue? – Andrew S Commented Mar 3 at 17:27
- It was a low alert stating that site can be crawled. I am not sure how this help, as some one who is there to get the data can simply write a code to ignore those characters! – Malav Shah Commented Mar 3 at 18:01
- If it's a public site (no login), then yes it could be crawled. Sounds like a false positive, and complicating the code to resolve a false positive is not useful. – Andrew S Commented Mar 3 at 19:58
- There are some functionalities where login is not required. Still i will discuss once with security team – Malav Shah Commented Mar 4 at 3:49
2 Answers
Reset to default 2You could implement a custom converter which takes a request object & maintain list of requestUris, where you don't want to include the prefix
public class CustomRespConverter extends MappingJackson2HttpMessageConverter {
private final HttpServletRequest request;
private final List<String> excludedApis = List.of("/api/excluded1", "/api/excluded2");
public CustomRespConverter(ObjectMapper objectMapper, HttpServletRequest request) {
super(objectMapper);
this.request = request;
}
@Override
protected void writePrefix(HttpOutputMessage outputMessage) throws IOException {
if (!excludedApis.contains(request.getRequestURI())) {
StreamUtils.copy(")]}',\n".getBytes(StandardCharsets.UTF_8), outputMessage.getBody());
}
}
}
You can also make this class as a @Component & import the list of excluded APIs from the properties.
After this, add & pass the HttpServletRequest request object from WebConfig config class:
private final HttpServletRequest request;
public WebConfig(HttpServletRequest request) {
this.request = request;
}
@Override
public void configureMessageConverters(List<HttpMessageConverter<?>> converters) {
ObjectMapper objectMapper = new ObjectMapper();
converters.add(new CustomRespConverter(objectMapper, request));
}
Try this method & let me know if it works or not! I tried similar method for another use-case & my code is working for almost 5 years.
You can try implementing your own MessageConverter which will determine for what packages it should be used, as it is done here:
https://stackoverflow/a/36689772/9956901