Since Membrane 5.2.0
Membrane can identify misuse in JSON documents such as duplicate fields, unusually large arrays or strings, and excessively nested documents. This allows Membrane to prevent potentially harmful JSON from compromising API backends.
-
Start Membrane using the included script:
Linux:
cd examples/security/json-protection ./membrane.shWindows:
cd examples/security/json-protection membrane.cmd -
Send a message violating the configuration. Depth is set to a maximum of 3.
curl -d '{"a": {"b": {"c": {"d": 1}}}}' -v localhost:2000The API Gateway should answer with a
400 Bad Request. -
Have a look at the configuration in the
apis.yamlfile.jsonProtection: maxTokens: 15 maxSize: 110 maxDepth: 3 maxStringLength: 5 maxKeyLength: 1 maxObjectSize: 3 maxArraySize: 3
Look at the examples in the provided script:
Linux:
./requests.shWindows:
requests.batOr run individual requests from the requests.http file using editors or IDEs supporting .http files( Intellj, Visual Studio Code).
The requests will test several cases of malicious JSON. Take a look at the apis.yaml file to get an idea of how to set up the plugin.
See:
- jsonProtection reference