Is it advisable to utilize jQuery's parseJSON/getJSON functions?

Question

Is it advisable to utilize jQuery's parseJSON/getJSON functions?

Upon examining the jQuery parseJSON function, I discovered that it essentially performs a basic regex validation:

parseJSON: function( data ) {
    if ( typeof data !== "string" || !data ) {
        return null;
    }

    // Remove leading/trailing whitespace to accommodate IE limitations
    data = jQuery.trim( data );

    // Validate incoming data as JSON
    // Adapted from http://json.org/json2.js
    if ( /^[\],:{}\s]*$/.test(data.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@")
        .replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, "]")
        .replace(/(?:^|:|,)(?:\s*\[)+/g, "")) ) {

        // Attempt to use native JSON parser for modern browsers
        return window.JSON && window.JSON.parse ?
            window.JSON.parse( data ) :
            (new Function("return " + data))();

    } else {
        jQuery.error( "Invalid JSON: " + data );
    }
},

If the check passes and if the browser is current, it utilizes the native JSON parser. In the case of older browsers like IE6, a new function is employed to return the object.

Question #1: Given that this method relies on a straightforward regex test, could it potentially be vulnerable to obscure edge-case exploits? Would it be wiser to implement a comprehensive parser, especially for browsers lacking native JSON support?

Question #2: How secure is

(new Function(" return " + data ))()

compared to eval("(" + text + ")")?

javascript json parsing

Answer 1

Answer №1

It's worth noting that jQuery's JSON parser incorporates the logic from json2.js to verify the validity of a JSON string, making it as secure as other commonly used non-native parsers which are already quite strict:

// The second stage involves running regular expressions to detect non-JSON patterns such as '()' and 'new' 
// that could lead to function invocation or assignment,
// amongst others.
// Despite its inefficiency, we break this process into 4 steps due to limitations in IE and Safari's regex engines. 
// We first replace JSON backslash pairs with '@', 
// then tokenize simple values to ']'. Next, we eliminate open brackets following a colon, comma, or at the start of the text. Finally, 
// we ensure the remaining characters consist only of whitespace, ']', ',', ':', '{', or '}'. If so, the text is deemed safe for eval.

if (/^[\],:{}\s]*$/.
test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@').
replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, ']').
replace(/(?:^|:|,)(?:\s*\[)+/g, ''))) {

I find it puzzling why jQuery performs regex operations before checking for a native implementation to validate JSON grammar since using a native approach could potentially boost performance if available.

Another query similar to question 2 has been addressed effectively by bobince on Stack Overflow:

In terms of language quirks rather than security concerns, there's a slight preference for new Function over eval. Although both are equally unreliable with untrusted input, assuming your web app doesn't encounter untrustworthy JSON strings. This distinction affects how well optimizations can be applied.

For further insights, read an excerpt from John Resig presented in Nick Craver's response.

Answer 2

It's worth noting that jQuery's JSON parser incorporates the logic from json2.js to verify the validity of a JSON string, making it as secure as other commonly used non-native parsers which are already quite strict:

// The second stage involves running regular expressions to detect non-JSON patterns such as '()' and 'new' 
// that could lead to function invocation or assignment,
// amongst others.
// Despite its inefficiency, we break this process into 4 steps due to limitations in IE and Safari's regex engines. 
// We first replace JSON backslash pairs with '@', 
// then tokenize simple values to ']'. Next, we eliminate open brackets following a colon, comma, or at the start of the text. Finally, 
// we ensure the remaining characters consist only of whitespace, ']', ',', ':', '{', or '}'. If so, the text is deemed safe for eval.

if (/^[\],:{}\s]*$/.
test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@').
replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, ']').
replace(/(?:^|:|,)(?:\s*\[)+/g, ''))) {

I find it puzzling why jQuery performs regex operations before checking for a native implementation to validate JSON grammar since using a native approach could potentially boost performance if available.

Another query similar to question 2 has been addressed effectively by bobince on Stack Overflow:

In terms of language quirks rather than security concerns, there's a slight preference for new Function over eval. Although both are equally unreliable with untrusted input, assuming your web app doesn't encounter untrustworthy JSON strings. This distinction affects how well optimizations can be applied.

For further insights, read an excerpt from John Resig presented in Nick Craver's response.

Answer 3

Answer №2

For secure JSON parsing, it is recommended to utilize the JSON.parse method. By including the script json2.js from http://www.json.org/js.html, this method becomes accessible and is automatically integrated with functions like parseJSON/getJSON. Instead of directly executing JSON data, it efficiently parses the markup.

Answer 4

For secure JSON parsing, it is recommended to utilize the JSON.parse method. By including the script json2.js from http://www.json.org/js.html, this method becomes accessible and is automatically integrated with functions like parseJSON/getJSON. Instead of directly executing JSON data, it efficiently parses the markup.

Is it advisable to utilize jQuery's parseJSON/getJSON functions?

Answer №1

Answer №2

Similar questions

What is the best way to combine JSON objects from a two-dimensional array into a single array using JavaScript?

"Enhance your webpage with a captivating opaque background image using Bootstrap

Exploring the functionality of two-way data binding in Angular - a beginner's guide

Is there a way to dynamically set a database path in Express.js depending on the user's login status?

What mechanism does package.json use to determine whether you are currently operating in development or production mode?

Experiencing issues with utilizing long polling on a node.js server URL in Internet Explorer

The dimensions of the cards adjust automatically when the flex direction is set to row

Having trouble retrieving response headers in Angular 5

Adding data to a database table using Python

Error: Unable to access the 'wsname' property of an undefined value

What is the best way to identify duplicate IDs within an array?

Send a bundle of data through AJAX requests

Struggling to properly reference an item within an array

Generate a table framework by dynamically adjusting the number of rows and columns

Oops! It seems that an invalid BCrypt hash triggered an unspecified "error" event that was not handled

An issue has arisen when trying to fetch and parse data using React and JavaScript

Add unique content to a div upon page reload

Can you provide guidance on displaying flash messages in my template using Express.js?

jQuery AJAX POST Request Fails to SendIt seems that the

Different results can be observed when comparing the array ordering in JavaScript between IE8 and Chrome