Fortify Json Injection in .NET
Apologies for the late response, I managed to fix/deceive fortify. Here is the fix
byte[] jsonBytes = Encoding.UTF8.GetBytes(json);
using (var stream = new MemoryStream(jsonBytes))
{
output = Deserialize<List<T>>(stream);
}
public TResult Deserialize<TResult>(Stream responseStream)
{
using (var sr = new StreamReader(responseStream))
{
using (var reader = new JsonTextReader(sr))
{
var serializer = new JsonSerializer
{
MissingMemberHandling =
EnforceMissingMemberHandling ? MissingMemberHandling.Error : MissingMemberHandling.Ignore,
NullValueHandling = IgnoreNullValues ? NullValueHandling.Ignore : NullValueHandling.Include
};
return serializer.Deserialize<TResult>(reader);
}
}
}
Hope this helps someone
It looks like in your case Fortify complains that you use json from untrusted source, this is what is said in Fortify documentation:
The semantics of JSON documents and messages can be altered if an application constructs JSON from unvalidated input. In a relatively benign case, an attacker may be able to insert extraneous elements that cause an application to throw an exception while parsing a JSON document or request. In a more serious case, such as that involving JSON injection, an attacker may be able to insert extraneous elements that allow for the predictable manipulation of business critical values within a JSON document or request.
If you receive json from a web service that you own, you can probably disregard Fortify's warning. However, keep in mind that you are calling JArray.Parse() on the input and presume it will be a valid array, but if it isn't, you would get JsonReaderException. Also, you don't really validate your JSON against a schema, please, see JSON.NET example to see how to specify JSON schema.
To be honest, I would be interested to know myself how Fortify would expect one to validate JSON received from some third-party web service.