Is sanitizing JSON necessary?

Since JSON.parse() does not run any code in the data to be parsed, it is not vulnerable the way eval() is, but there are still things you should do to protect the integrity of your server and application such as:

  1. Apply exception handlers in the appropriate place as JSON.parse() can throw an exception.
  2. Don't make assumptions about what data is there, you must explicitly test for data before using it.
  3. Only process properties you are specifically looking for (avoiding other things that might be in the JSON).
  4. Validate all incoming data as legitimate, acceptable values.
  5. Sanitize the length of data (to prevent DOS issues with overly large data).
  6. Don't put this incoming data into places where it could be further evaluated such as directly into the HTML of the page or injected directly into SQL statements without further sanitization to make sure it is safe for that environment.

So, to answer your question directly, "yes" there is more to do than just using body-parser though it is a perfectly fine front line for first processing the data. The next steps for what you do with the data once you get it from body-parser do matter in many cases and can require extra care.


As an example, here's a parsing function that expects an object with properties that applies some of these checks and gives you a filtered result that only contains the properties you were expecting:

// pass expected list of properties and optional maxLen
// returns obj or null
function safeJSONParse(str, propArray, maxLen) {
    var parsedObj, safeObj = {};
    try {
        if (maxLen && str.length > maxLen) {
            return null;
        } else {
            parsedObj = JSON.parse(str);
            if (typeof parsedObj !== "object" || Array.isArray(parsedObj)) {
                safeObj = parseObj;
            } else {
                // copy only expected properties to the safeObj
                propArray.forEach(function(prop) {
                    if (parsedObj.hasOwnProperty(prop)) {
                        safeObj[prop] = parseObj[prop];
                    }
                });
            }
            return safeObj;
        }
    } catch(e) {
        return null;
    }
}

You should be fine. Early users of JSON would often call eval() on the received string, which is of course a huge security hole. But JSON.parse, as you state, handles the majority of these kinds of sanity checks.

As long as you make sure not to take something out of a received JSON object and pass it directly into a SQL query, for example, you should be fine.