Skip to content

JSON injection via unescaped values in HTTP build_json_body #1000

Closed
#1007
Closed
JSON injection via unescaped values in HTTP build_json_body#1000
#1007
Labels
securitySecurity vulnerability or hardening
@chaliy

Description

@chaliy
chaliy
opened on Apr 2, 2026

Summary

build_json_body constructs JSON by string formatting without escaping special characters:

fields.push(format!("  \"{}\": \"{}\"", k, v));

Values containing ", \, or newlines produce malformed or attacker-controlled JSON sent to allowed endpoints.

Severity: Medium
Category: Injection (TM-INJ)

Affected Files

  • crates/bashkit/src/builtins/http.rs lines 207-224

Steps to Reproduce

http POST https://allowed-api.com name='test","admin":true,"x":"y'
# Produces: { "name": "test","admin":true,"x":"y" }
# Injected admin:true field

Impact

Arbitrary JSON field injection in request bodies. Can escalate privileges on target APIs (e.g., setting admin: true).

Acceptance Criteria

  • Use serde_json to construct JSON body properly (values as serde_json::Value::String)
  • Or: escape ", \, and control characters in values
  • Test: Value with " produces valid escaped JSON
  • Test: Value with \n produces valid escaped JSON
  • Test: Nested JSON injection attempt is neutralized

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity vulnerability or hardening

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions