A high-performance, zero allocation, dynamic JSON Threat Protection in pure Go

Related tags

JSON gojtp
Overview

GOJTP
GoDoc

⚡️ A high-performance, zero allocation, dynamic JSON Threat Protection in pure Go. 🔥

Package gojtp provides a fast way to validate the dynamic JSON and protect against vulnerable JSON content-level attacks (JSON Threat Protection) based on configured properties.

It also validate the JSON and if JSON is Invalid it will return an error.

What is JSON Threat Protection

JSON requests are susceptible to attacks characterized by unusual inflation of elements and nesting levels. Attackers use recursive techniques to consume memory resources by using huge json files to overwhelm the parser and eventually crash the service.

JSON threat protection is terms that describe the way to minimize the risk from such attacks by defining few limits on the json structure like length and depth validation on a json, and helps protect your applications from such intrusions.

There are situations where you do not want to parse the JSON, but do want to ensure that the JSON is not going to cause a problem. Such as an API Gateway. It would be a PAIN for the gateway to have to know all JSON schema of all services it is protecting. There are XML validators that perform similar functions.

Getting Started

Installing To start using gojtp, install Go and run go get:

$ go get -u github.com/ankur-anand/gojtp

Performance

On linux-amd64

BenchmarkTestifyNoThreatInBytes-4         500000              2628 ns/op               0 B/op          0 allocs/op

JSON Used

{
    "simple_string": "hello word",
    "targets": [
        {
            "req_per_second": 5,
            "duration_of_time": 1,
            "utf8Key": "Hello, 世界",
            "request": {
                "endpoint": "https://httpbin.org/get",
                "http_method": "GET",
                "payload": {
                    "username": "ankur",
                    "password": "ananad"
                },
                "array_value": [
                    "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstv"
                ],
                "additional_header": [
                    {
                        "header_key": "uuid",
                        "header_value": [
                            "1",
                            "2"
                        ]
                    }
                ]
            }
        },
        {
            "req_per_second": 10,
            "duration_of_time": 1,
            "request": {
                "endpoint": "https://httpbin.org/post",
                "http_method": "POST",
                "payload": {
                    "username": "ankur",
                    "password": "ananad"
                },
                "additional_header": [
                    {
                        "header_key": "uuid",
                        "header_value": [
                            "1",
                            "2",
                            "3",
                            "4",
                            "5",
                            "Hello, 世界"
                        ]
                    }
                ]
            }
        }
    ]
}

Create a verify

All the verifier Parameters are Optional

Check Godoc for all option

Example Verify

// with multiple config
	_, _ = New(WithMaxArrayElementCount(6),
		WithMaxContainerDepth(7),
		WithMaxObjectKeyLength(20), WithMaxStringLength(50),
		)

	// with single config
	_, _ = New(WithMaxStringLength(25))

Errors

The JTP returns following error messages on Validation failure:

Error Message
jtp.maxStringValueLengthReached.Max-[X]-Allowed.Found-[Y].
jtp.maxArrayElementCountReached.Max-[X]-Allowed.Found-[Y].
jtp.maxKeyLengthReached.Max-[X]-Allowed.Found-[Y]
jtp.maxContainerDepthReached.Max-[X]-Allowed.Found-[Y]
jtp.maxObjectEntryCountReached.Max-[X]-Allowed.Found-[Y]
jtp.MalformedJSON

Usage Example

package main

import (
	"github.com/ankur-anand/gojtp"
	"log"
)

func main() {
	    json := _getTestJsonBytes()
	    verifier1, err := New(WithMaxArrayElementCount(6),
    		WithMaxContainerDepth(7),
    		WithMaxObjectKeyLength(20), WithMaxStringLength(50),
    		)
    	ok, err := verifier1.VerifyBytes(json)
    
    	verifier2, err := New(WithMaxStringLength(25))
    	ok, err = verifier2.VerifyBytes(json)
    	fmt.Println(ok, err)
}

func _getTestJsonBytes() []byte {
	return []byte(`{
	"simple_string": "hello word",
    "targets": [
      {
        "req_per_second": 5,
        "duration_of_time": 1,
		"utf8Key": "Hello, 世界",
        "request": {
          "endpoint": "https://httpbin.org/get",
          "http_method": "GET",
          "payload": {
            "username": "ankur",
            "password": "ananad"
          },
		  "array_value": [
				"abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstv"
			],
          "additional_header": [
            {
              "header_key": "uuid",
              "header_value": [
                "1",
                "2"
              ]
            }
          ]
        }
      },
      {
        "req_per_second": 10,
        "duration_of_time": 1,
        "request": {
          "endpoint": "https://httpbin.org/post",
          "http_method": "POST",
          "payload": {
            "username": "ankur",
            "password": "ananad"
          },
          "additional_header": [
            {
              "header_key": "uuid",
              "header_value": [
                "1",
                "2",
				"3",
				"4",
				"5",
				"Hello, 世界"
              ]
            }
          ]
        }
      }
    ]
}
	`)
}

Contact

Ankur Anand @in_aanand

License

GOJTP source code is available under the MIT License.

Based on Parser from tidwall.

Releases(v0.0.1)
Owner
Ankur Anand
We have Traveled a long road since 80's
Ankur Anand
A high-performance 100% compatible drop-in replacement of "encoding/json"

A high-performance 100% compatible drop-in replacement of "encoding/json" You can also use thrift like JSON using thrift-iterator Benchmark Source cod

Jsoniter 11k Jun 23, 2022
Get JSON values quickly - JSON parser for Go

get json values quickly GJSON is a Go package that provides a fast and simple way to get values from a json document. It has features such as one line

Josh Baker 10.5k Jun 30, 2022
JSON diff library for Go based on RFC6902 (JSON Patch)

jsondiff jsondiff is a Go package for computing the diff between two JSON documents as a series of RFC6902 (JSON Patch) operations, which is particula

William Poussier 172 Jun 23, 2022
Fast JSON encoder/decoder compatible with encoding/json for Go

Fast JSON encoder/decoder compatible with encoding/json for Go

Masaaki Goshima 1.6k Jun 26, 2022
Package json implements encoding and decoding of JSON as defined in RFC 7159

Package json implements encoding and decoding of JSON as defined in RFC 7159. The mapping between JSON and Go values is described in the documentation for the Marshal and Unmarshal functions

High Performance, Kubernetes Native Object Storage 3 May 10, 2022
Json-go - CLI to convert JSON to go and vice versa

Json To Go Struct CLI Install Go version 1.17 go install github.com/samit22/js

Samit Ghimire 5 Mar 3, 2022
JSON Spanner - A Go package that provides a fast and simple way to filter or transform a json document

JSON SPANNER JSON Spanner is a Go package that provides a fast and simple way to

null 3 Jun 30, 2022
Pure Go implementation of jq

gojq Pure Go implementation of jq This is an implementation of jq command written in Go language. You can also embed gojq as a library to your Go prod

itchyny 1.4k Jun 26, 2022
This an implementation of Jsonnet in pure Go.

This an implementation of Jsonnet in pure Go. It is a feature complete, production-ready implementation. It is compatible with the original Jsonnet C++ implementation. Bindings to C and Python are available (but not battle-tested yet).

Google 1.2k Jun 23, 2022
A Small tool for SDWAN performance test and policy validation

sdwan-perf Sdwan-perf is based on golang and could support almost platform for performance and policy validation. SDWAN Performance Test Report +--

Mie~~~ 16 May 14, 2022
Example to validate performance using append or not in golang

benchtest-arr-go This code is a example to validate performance using append or not in golang result benchtests go test -benchmem -bench . goos: darwi

Renan Bastos 1 Jan 10, 2022
Abstract JSON for golang with JSONPath support

Abstract JSON Abstract JSON is a small golang package provides a parser for JSON with support of JSONPath, in case when you are not sure in its struct

Stepan Pyzhov 119 Jun 24, 2022
Fast JSON parser and validator for Go. No custom structs, no code generation, no reflection

fastjson - fast JSON parser and validator for Go Features Fast. As usual, up to 15x faster than the standard encoding/json. See benchmarks. Parses arb

Aliaksandr Valialkin 1.6k Jun 21, 2022
Small utility to create JSON objects

gjo Small utility to create JSON objects. This was inspired by jpmens/jo. Support OS Mac Linux Windows Requirements Go 1.1.14~ Git Installtion Build $

skanehira 108 Apr 27, 2022
A Go package for handling common HTTP JSON responses.

go-respond A Go package for handling common HTTP JSON responses. Installation go get github.com/nicklaw5/go-respond Usage The goal of go-respond is to

Nick Law 47 May 18, 2022
JSON query in Golang

gojq JSON query in Golang. Install go get -u github.com/elgs/gojq This library serves three purposes: makes parsing JSON configuration file much easie

Qian Chen 182 Apr 27, 2022
Automatically generate Go (golang) struct definitions from example JSON

gojson gojson generates go struct definitions from json or yaml documents. Example $ curl -s https://api.github.com/repos/chimeracoder/gojson | gojson

Aditya Mukerjee 2.5k Jun 23, 2022
A JSON diff utility

JayDiff A JSON diff utility. Install Downloading the compiled binary Download the latest version of the binary: releases extract the archive and place

Guillaume de Sagazan 86 May 31, 2022
Fast and flexible JSON encoder for Go

Jettison Jettison is a fast and flexible JSON encoder for the Go programming language, inspired by bet365/jingo, with a richer features set, aiming at

William Poussier 128 Jun 1, 2022