Geoffroy Couprie <cont...@geoffroycouprie.com> writes: > I talk about parsers regularly with developers, and some of them > objected that with JSON, they never need to worry about safe parsing, > since a lot of libraries take care of that for them. I would not bet > that most JSON parsers are correct, but there is a more interesting > point here: even if the underlying encoding format was correct, the > way data is integrated is part of the schema.
This is langsec 101: Things that are traditionally thought of as languages (JSON) and what they implement (object serialization) are not the only things that should be thought of as languages and the interfaces that accept them. When a web API is assumed safe because the JSON parser is correct, people are looking at the wrong language. JSON is good because correct parsers for it are "easy" to build, but if there is no proper description of the *actual* language of the API, then that is exactly the problem. In principle, there are two ways to deal with this: Throw out JSON and design a more specific language or find a way to formalize the restriction of JSON to your case. Things like protocol buffers try to help the former approach and Schema languages embody the latter. However, there are many problems in either direction. Designing a new low-level language is likely to lead into details that are costly to deal with and easy to get wrong while accurately capturing a language restriction in a Schema is hard in its own right and will likely end up not being an exact match. Parser combinators offer some hope in this area because they allow new languages that are not overly general to be built out of low-level parts where the parts are (hopefully) correct. In the end, however, the main issue remains to accurately think of what is the interface and what is the language that it should accept. When that is not answered or answerable to satisfaction, there will be problems. -pesco _______________________________________________ langsec-discuss mailing list langsec-discuss@mail.langsec.org https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
