[Security] MEDIUM: Unsafe JSON Parsing Without Schema Validation #53
Description
Security Vulnerability Report
Severity: Medium
Type: Insecure Deserialization
OWASP Category: A08:2021 – Software and Data Integrity Failures
Description
The application uses JSON.parse() on untrusted data from LLM responses, configuration files, and cached data without schema validation. While partially trusted, there's no runtime type checking after parsing.
Affected Files
src/commands/reply.ts(Line 233)src/commands/blog.ts(Lines 136, 193, 236, 468, 478)src/services/content-analyzer.ts(Line 48)
Vulnerable Code
function parseReplyOpportunities(response: string, tweets: Tweet[]): ReplyOpportunity[] {
try {
let jsonStr = response;
const jsonMatch = response.match(/\[[\s\S]*\]/);
if (jsonMatch) {
jsonStr = jsonMatch[0];
}
const parsed: ParsedReplyItem[] = JSON.parse(jsonStr);
// No runtime validation of parsed structure
} catch (error) {
logger.error(`Failed to parse LLM response: ${(error as Error).message}`);
return [];
}
}Impact
- Potential prototype pollution attacks if JSON is later merged
- Runtime errors from malformed data
- Type safety violations
- Denial of service (large JSON objects)
Recommended Fix
Use a schema validation library like Zod:
import { z } from 'zod';
const ReplySchema = z.array(z.object({
tweetNumber: z.number(),
suggestedReply: z.string(),
reasoning: z.string(),
}));
function parseReplyOpportunities(response: string, tweets: Tweet[]): ReplyOpportunity[] {
try {
const jsonMatch = response.match(/\[[\s\S]*\]/);
if (!jsonMatch) {
return [];
}
const parsed = ReplySchema.safeParse(JSON.parse(jsonMatch[0]));
if (!parsed.success) {
logger.error(`Invalid LLM response structure: ${parsed.error.message}`);
return [];
}
return parsed.data;
} catch (error) {
logger.error(`Failed to parse LLM response: ${(error as Error).message}`);
return [];
}
}