#json #validate-json #json-parser #security #validation

json-threat-protection

A crate to protect against malicious JSON payloads

2 releases

0.1.1 Jul 21, 2024
0.1.0 Jul 20, 2024

#964 in Parser implementations

22 downloads per month

MIT license

79KB
1.5K SLoC

JSON-threat-protection.rs

GitHub Actions Workflow Status Crates.io Version docs.rs GitHub License

A Rust library to protect against malicious JSON payloads.

This project is not a parser, and never give you the deserialized JSON Value!

Features

This crate provides functionality to validate JSON payloads against a set of constraints.

  • Maximum depth of the JSON structure.
  • Maximum length of strings.
  • Maximum number of entries in arrays.
  • Maximum number of entries in objects.
  • Maximum length of object entry names.
  • Whether to allow duplicate object entry names.

The typical use case for this crate is to validate JSON payloads before the bussiness logic of your application that is deployed in a separated place.

Docs

https://docs.rs/json-threat-protection

Performance

This crate is designed to be fast and efficient, and has its own benchmark suite under the benches directory. You can run the benchmarks with the following command:

JSON_FILE=/path/to/file.json cargo bench --bench memory -- --verbose

This suite validates the JSON syntax and checks the above constraints.

For comparison, the serde_json crate is used to parse the JSON and get the serde_json::Value and travel through the JSON structure to check the above constraints.

Here are the table of the results of the benchmark suite for three different datasets:

Data Source

Dataset Size serde_json json-threat-protection Faster (%) Comment
kernel_stargazers.json 1.2M 12.996 ms 8.8530 ms 31.89% 1000 stargazers JSON information from torvalds/linux
kernel_stargazers_small.json 568K 5.8825 ms 3.7504 ms 36.29% 472 stargazers JSON information from torvalds/linux
kernel_commits.json 4.6M 45.059 ms 29.682 ms 34.25% 1000 commits JSON infomation from torvalds/linux
tokio_issues.json 5.1M 61.935 ms 33.959 ms 45.20% 1000 issues JSON information from tokio-rs/tokio
tokio_forks.json 6.1M 90.984 ms 45.686 ms 49.80% 1000 forks JSON information from tokio-rs/tokio
tokio_workflow_runs.json 15M 221.89 ms 103.65 ms 53.22% 1000 workflow runs JSON information from tokio-rs/tokio

It is expected that the json-threat-protection crate will be faster than the serde_json crate because it never store the deserialized JSON Value in memory, which reduce the cost on memory allocation and deallocation.

As you can see from the table, the json-threat-protection crate is faster than the serde_json crate for all datasets, but the number depends on the dataset. So you could get your own performance number by specifying the JSON_FILE to your dataset.

Fuzzing

The library is fuzz tested using the cargo-fuzz tool. The fuzzing target is located in the fuzz directory.

THe initial set of corpus files are from nlohmann/json_test_data.

Thanks

License

This project is licensed under the MIT License - see the LICENSE file for details.

Dependencies

~250–700KB
~17K SLoC