AutoBean: decoding JSON with an array at the root?
1,276 views
Skip to first unread message
alexp
Oct 14, 2011, 3:09:22 PM10/14/11
to Google Web Toolkit
Assume I the following JSON:
[
{ "foo": 1, "bar": 2 },
{ "foo": 3, "bar": 4 }
]
How would I set up my AutoBean and factory to parse this?
If the array were a child of another object, like this:
{ "items": [
{ "foo": 1, "bar": 2 },
{ "foo": 3, "bar": 4 }
]
}
Then the AutoBean would be easy, because the array is identified by
the enclosing object:
interface Foo {
List<Item> items;
}
interface Item {
int getFoo();
int GetBar();
}
However, when the array is at the root, there doesn't seem a way to
decode a list at the root. In other words, I cannot do this:
MyFactory {
List<Item> itemList();
}
Because I would not be able to specify List<Item> as the cass (e.g.
type) to be decoded:
AutoBean<List<Item> bean = AutoBeanCodex.decode(myFactory, ???.class,
jsonString);
I tried adding a list bean that extended list, like this:
interface ItemList extends List<Item> {
}
But I quickly realized that the AutoBean code would try to look for
JSON properties or Category methods for all the methods in the List
interface.
Any ideas?
Thanks in advance,
Alex
[
{ "foo": 1, "bar": 2 },
{ "foo": 3, "bar": 4 }
]
How would I set up my AutoBean and factory to parse this?
If the array were a child of another object, like this:
{ "items": [
{ "foo": 1, "bar": 2 },
{ "foo": 3, "bar": 4 }
]
}
Then the AutoBean would be easy, because the array is identified by
the enclosing object:
interface Foo {
List<Item> items;
}
interface Item {
int getFoo();
int GetBar();
}
However, when the array is at the root, there doesn't seem a way to
decode a list at the root. In other words, I cannot do this:
MyFactory {
List<Item> itemList();
}
Because I would not be able to specify List<Item> as the cass (e.g.
type) to be decoded:
AutoBean<List<Item> bean = AutoBeanCodex.decode(myFactory, ???.class,
jsonString);
I tried adding a list bean that extended list, like this:
interface ItemList extends List<Item> {
}
But I quickly realized that the AutoBean code would try to look for
JSON properties or Category methods for all the methods in the List
interface.
Any ideas?
Thanks in advance,
Alex
benneq
Oct 15, 2011, 3:32:27 PM10/15/11
to Google Web Toolkit
i'm interested in this, too... :)
Colin Alworth
Oct 18, 2011, 10:59:01 AM10/18/11
to google-we...@googlegroups.com
Yes, your JSON is expected to have an object, not a collection, at its root. This turns out to be a good idea in general as well - in some browsers it is possible to load json that starts in an array from another site, and read the contents of those objects, something which is not possible if you start with an object instead.
alexp
Oct 18, 2011, 2:34:03 PM10/18/11
to Google Web Toolkit
Hi Colin,
Thanks for replying Can you elaborate a little on your response? I
am not sure I quite got the context of the response. Are you stating
that not having an array at the root would prevent that data from
being injected into another JSON structure? What makes it not
possible to do what you described if there was an object at the root?
Alex
Thanks for replying Can you elaborate a little on your response? I
am not sure I quite got the context of the response. Are you stating
that not having an array at the root would prevent that data from
being injected into another JSON structure? What makes it not
possible to do what you described if there was an object at the root?
Alex
Colin Alworth
Oct 18, 2011, 6:21:34 PM10/18/11
to google-we...@googlegroups.com
Quoting from http://www.sitepen.com/blog/2008/09/25/security-in-ajax/
"It is only possible to hijack JSON data with a root that is an array.
When the root is a primitive, primitive values do not trigger a
constructor. When the root is an object, it is not valid JavaScript
syntax, and therefore can’t be parsed. No amount of environmental
alterations can affect an unparseable script."
"It is only possible to hijack JSON data with a root that is an array.
When the root is a primitive, primitive values do not trigger a
constructor. When the root is an object, it is not valid JavaScript
syntax, and therefore can’t be parsed. No amount of environmental
alterations can affect an unparseable script."
http://haacked.com/archive/2009/06/25/json-hijacking.aspx gets into a
little more detail of what must be possible to exploit this.
This is an issue that is tangential to your problem, but between the
two of them, it makes more sense to deal with objects as the root of
whatever is being sent over the wire than arrays. Note that if your
server never sense a reply to a GET request, this might not be a
problem for you, but I make a habit of always starting with an object
to make sure no one ever accidentally adds a security flaw.
alexp
Oct 19, 2011, 10:55:38 AM10/19/11
to Google Web Toolkit
Hi Colin,
Thanks so much for clarifying and including those URLs. Very good to
know!
Cheers,
Alex
Thanks so much for clarifying and including those URLs. Very good to
know!
Cheers,
Alex
Reply all
Reply to author
Forward
0 new messages