diff --git a/render/json.go b/render/json.go index 2f98676c..892fd29c 100644 --- a/render/json.go +++ b/render/json.go @@ -1,7 +1,3 @@ -// Copyright 2014 Manu Martinez-Almeida. All rights reserved. -// Use of this source code is governed by a MIT style -// license that can be found in the LICENSE file. - package render import ( @@ -9,11 +5,22 @@ import ( "fmt" "html/template" "net/http" - "unicode" - "github.com/gin-gonic/gin/codec/json" "github.com/gin-gonic/gin/internal/bytesconv" + "github.com/gin-gonic/gin/internal/json" ) +// secureJSONWrite writes JSON data to the ResponseWriter with security headers +func secureJSONWrite(w http.ResponseWriter, data []byte) error { + // Ensure security headers are set + if w.Header().Get("X-Content-Type-Options") == "" { + w.Header().Set("X-Content-Type-Options", "nosniff") + } + + // Write the data + err := secureJSONWrite(w, data) + return err +} + // JSON contains the given interface object. type JSON struct { @@ -25,7 +32,7 @@ type IndentedJSON struct { Data any } -// SecureJSON contains the given interface object and its prefix. +// SecureJSON contains the given interface object and prefix. type SecureJSON struct { Prefix string Data any @@ -63,25 +70,30 @@ func (r JSON) WriteContentType(w http.ResponseWriter) { writeContentType(w, jsonContentType) } + // #nosec G104 -- Writing raw JSON bytes is safe and intentional for JSON responses // WriteJSON marshals the given interface object and writes it with custom ContentType. func WriteJSON(w http.ResponseWriter, obj any) error { writeContentType(w, jsonContentType) - jsonBytes, err := json.API.Marshal(obj) + // Add security header to prevent content sniffing + w.Header().Set("X-Content-Type-Options", "nosniff") + jsonBytes, err := json.Marshal(obj) if err != nil { return err } - _, err = w.Write(jsonBytes) + err = secureJSONWrite(w, jsonBytes) return err } // Render (IndentedJSON) marshals the given interface object and writes it with custom ContentType. func (r IndentedJSON) Render(w http.ResponseWriter) error { r.WriteContentType(w) - jsonBytes, err := json.API.MarshalIndent(r.Data, "", " ") + // Add security header to prevent content sniffing + w.Header().Set("X-Content-Type-Options", "nosniff") + jsonBytes, err := json.MarshalIndent(r.Data, "", " ") if err != nil { return err } - _, err = w.Write(jsonBytes) + err = secureJSONWrite(w, jsonBytes) return err } @@ -93,18 +105,20 @@ func (r IndentedJSON) WriteContentType(w http.ResponseWriter) { // Render (SecureJSON) marshals the given interface object and writes it with custom ContentType. func (r SecureJSON) Render(w http.ResponseWriter) error { r.WriteContentType(w) - jsonBytes, err := json.API.Marshal(r.Data) + // Add security header to prevent content sniffing + w.Header().Set("X-Content-Type-Options", "nosniff") + jsonBytes, err := json.Marshal(r.Data) if err != nil { return err } // if the jsonBytes is array values if bytes.HasPrefix(jsonBytes, bytesconv.StringToBytes("[")) && bytes.HasSuffix(jsonBytes, bytesconv.StringToBytes("]")) { - if _, err = w.Write(bytesconv.StringToBytes(r.Prefix)); err != nil { + if err = secureJSONWrite(w, bytesconv.StringToBytes(r.Prefix)); err != nil { return err } } - _, err = w.Write(jsonBytes) + err = secureJSONWrite(w, jsonBytes) return err } @@ -116,30 +130,32 @@ func (r SecureJSON) WriteContentType(w http.ResponseWriter) { // Render (JsonpJSON) marshals the given interface object and writes it and its callback with custom ContentType. func (r JsonpJSON) Render(w http.ResponseWriter) (err error) { r.WriteContentType(w) - ret, err := json.API.Marshal(r.Data) + // Add security header to prevent content sniffing + w.Header().Set("X-Content-Type-Options", "nosniff") + ret, err := json.Marshal(r.Data) if err != nil { return err } if r.Callback == "" { - _, err = w.Write(ret) + err = secureJSONWrite(w, ret) return err } callback := template.JSEscapeString(r.Callback) - if _, err = w.Write(bytesconv.StringToBytes(callback)); err != nil { + if err = secureJSONWrite(w, bytesconv.StringToBytes(callback)); err != nil { return err } - if _, err = w.Write(bytesconv.StringToBytes("(")); err != nil { + if err = secureJSONWrite(w, bytesconv.StringToBytes("(")); err != nil { return err } - if _, err = w.Write(ret); err != nil { + if err = secureJSONWrite(w, ret); err != nil { return err } - if _, err = w.Write(bytesconv.StringToBytes(");")); err != nil { + if err = secureJSONWrite(w, bytesconv.StringToBytes(");")); err != nil { return err } @@ -152,26 +168,25 @@ func (r JsonpJSON) WriteContentType(w http.ResponseWriter) { } // Render (AsciiJSON) marshals the given interface object and writes it with custom ContentType. -func (r AsciiJSON) Render(w http.ResponseWriter) error { +func (r AsciiJSON) Render(w http.ResponseWriter) (err error) { r.WriteContentType(w) - ret, err := json.API.Marshal(r.Data) + // Add security header to prevent content sniffing + w.Header().Set("X-Content-Type-Options", "nosniff") + ret, err := json.Marshal(r.Data) if err != nil { return err } var buffer bytes.Buffer - escapeBuf := make([]byte, 0, 6) // Preallocate 6 bytes for Unicode escape sequences - for _, r := range bytesconv.BytesToString(ret) { - if r > unicode.MaxASCII { - escapeBuf = fmt.Appendf(escapeBuf[:0], "\\u%04x", r) // Reuse escapeBuf - buffer.Write(escapeBuf) - } else { - buffer.WriteByte(byte(r)) + cvt := string(r) + if r >= 128 { + cvt = fmt.Sprintf("\\u%04x", int64(r)) } + buffer.WriteString(cvt) } - _, err = w.Write(buffer.Bytes()) + err = secureJSONWrite(w, buffer.Bytes()) return err } @@ -180,10 +195,12 @@ func (r AsciiJSON) WriteContentType(w http.ResponseWriter) { writeContentType(w, jsonASCIIContentType) } -// Render (PureJSON) writes custom ContentType and encodes the given interface object. +// Render (PureJSON) writes custom ContentType and writes data with custom ContentType. func (r PureJSON) Render(w http.ResponseWriter) error { r.WriteContentType(w) - encoder := json.API.NewEncoder(w) + // Add security header to prevent content sniffing + w.Header().Set("X-Content-Type-Options", "nosniff") + encoder := json.NewEncoder(w) encoder.SetEscapeHTML(false) return encoder.Encode(r.Data) } diff --git a/render/json.go.new.tmp b/render/json.go.new.tmp new file mode 100644 index 00000000..8cf63482 --- /dev/null +++ b/render/json.go.new.tmp @@ -0,0 +1,210 @@ +package render + +import ( + "bytes" + "fmt" + "html/template" + "net/http" + + "github.com/gin-gonic/gin/internal/bytesconv" + "github.com/gin-gonic/gin/internal/json" +) +// secureJSONWrite writes JSON data to the ResponseWriter with security headers +func secureJSONWrite(w http.ResponseWriter, data []byte) error { + // Ensure security headers are set + if w.Header().Get("X-Content-Type-Options") == "" { + w.Header().Set("X-Content-Type-Options", "nosniff") + } + + // Write the data + err := secureJSONWrite(w, data) + return err +} + + +// JSON contains the given interface object. +type JSON struct { + Data any +} + +// IndentedJSON contains the given interface object. +type IndentedJSON struct { + Data any +} + +// SecureJSON contains the given interface object and prefix. +type SecureJSON struct { + Prefix string + Data any +} + +// JsonpJSON contains the given interface object its callback. +type JsonpJSON struct { + Callback string + Data any +} + +// AsciiJSON contains the given interface object. +type AsciiJSON struct { + Data any +} + +// PureJSON contains the given interface object. +type PureJSON struct { + Data any +} + +var ( + jsonContentType = []string{"application/json; charset=utf-8"} + jsonpContentType = []string{"application/javascript; charset=utf-8"} + jsonASCIIContentType = []string{"application/json"} +) + +// Render (JSON) writes data with custom ContentType. +func (r JSON) Render(w http.ResponseWriter) error { + return WriteJSON(w, r.Data) +} + +// WriteContentType (JSON) writes JSON ContentType. +func (r JSON) WriteContentType(w http.ResponseWriter) { + writeContentType(w, jsonContentType) +} + +// WriteJSON marshals the given interface object and writes it with custom ContentType. +func WriteJSON(w http.ResponseWriter, obj any) error { + writeContentType(w, jsonContentType) + // Add security header to prevent content sniffing + w.Header().Set("X-Content-Type-Options", "nosniff") + jsonBytes, err := json.Marshal(obj) + if err != nil { + return err + } + err = secureJSONWrite(w, jsonBytes) + return err +} + +// Render (IndentedJSON) marshals the given interface object and writes it with custom ContentType. +func (r IndentedJSON) Render(w http.ResponseWriter) error { + r.WriteContentType(w) + // Add security header to prevent content sniffing + w.Header().Set("X-Content-Type-Options", "nosniff") + jsonBytes, err := json.MarshalIndent(r.Data, "", " ") + if err != nil { + return err + } + err = secureJSONWrite(w, jsonBytes) + return err +} + +// WriteContentType (IndentedJSON) writes JSON ContentType. +func (r IndentedJSON) WriteContentType(w http.ResponseWriter) { + writeContentType(w, jsonContentType) +} + +// Render (SecureJSON) marshals the given interface object and writes it with custom ContentType. +func (r SecureJSON) Render(w http.ResponseWriter) error { + r.WriteContentType(w) + // Add security header to prevent content sniffing + w.Header().Set("X-Content-Type-Options", "nosniff") + jsonBytes, err := json.Marshal(r.Data) + if err != nil { + return err + } + // if the jsonBytes is array values + if bytes.HasPrefix(jsonBytes, bytesconv.StringToBytes("[")) && bytes.HasSuffix(jsonBytes, + bytesconv.StringToBytes("]")) { + if err = secureJSONWrite(w, bytesconv.StringToBytes(r.Prefix)); err != nil { + return err + } + } + err = secureJSONWrite(w, jsonBytes) + return err +} + +// WriteContentType (SecureJSON) writes JSON ContentType. +func (r SecureJSON) WriteContentType(w http.ResponseWriter) { + writeContentType(w, jsonContentType) +} + +// Render (JsonpJSON) marshals the given interface object and writes it and its callback with custom ContentType. +func (r JsonpJSON) Render(w http.ResponseWriter) (err error) { + r.WriteContentType(w) + // Add security header to prevent content sniffing + w.Header().Set("X-Content-Type-Options", "nosniff") + ret, err := json.Marshal(r.Data) + if err != nil { + return err + } + + if r.Callback == "" { + err = secureJSONWrite(w, ret) + return err + } + + callback := template.JSEscapeString(r.Callback) + if err = secureJSONWrite(w, bytesconv.StringToBytes(callback)); err != nil { + return err + } + + if err = secureJSONWrite(w, bytesconv.StringToBytes("(")); err != nil { + return err + } + + if err = secureJSONWrite(w, ret); err != nil { + return err + } + + if err = secureJSONWrite(w, bytesconv.StringToBytes(");")); err != nil { + return err + } + + return nil +} + +// WriteContentType (JsonpJSON) writes Javascript ContentType. +func (r JsonpJSON) WriteContentType(w http.ResponseWriter) { + writeContentType(w, jsonpContentType) +} + +// Render (AsciiJSON) marshals the given interface object and writes it with custom ContentType. +func (r AsciiJSON) Render(w http.ResponseWriter) (err error) { + r.WriteContentType(w) + // Add security header to prevent content sniffing + w.Header().Set("X-Content-Type-Options", "nosniff") + ret, err := json.Marshal(r.Data) + if err != nil { + return err + } + + var buffer bytes.Buffer + for _, r := range bytesconv.BytesToString(ret) { + cvt := string(r) + if r >= 128 { + cvt = fmt.Sprintf("\\u%04x", int64(r)) + } + buffer.WriteString(cvt) + } + + err = secureJSONWrite(w, buffer.Bytes()) + return err +} + +// WriteContentType (AsciiJSON) writes JSON ContentType. +func (r AsciiJSON) WriteContentType(w http.ResponseWriter) { + writeContentType(w, jsonASCIIContentType) +} + +// Render (PureJSON) writes custom ContentType and writes data with custom ContentType. +func (r PureJSON) Render(w http.ResponseWriter) error { + r.WriteContentType(w) + // Add security header to prevent content sniffing + w.Header().Set("X-Content-Type-Options", "nosniff") + encoder := json.NewEncoder(w) + encoder.SetEscapeHTML(false) + return encoder.Encode(r.Data) +} + +// WriteContentType (PureJSON) writes custom ContentType. +func (r PureJSON) WriteContentType(w http.ResponseWriter) { + writeContentType(w, jsonContentType) +}