Fastify Node.js framework improves JSON security thanks to a security report
On April 9th Francesco Soncina –also known as
This security report was eventually deemed relatively harmless since it doesn’t affect Fastify by itself. This happened because the JSON schema is provided by the user as an application configuration item and thus is regarded as a trusted input.
Nonetheless, it is interesting, but also critical, to highlight the importance of such security reports, whether they end up as a verified CVE security bug or not.
In this case, in particular, the security discussion throughout the report revolves around an ongoing debate between Fastify’s maintainer and the security researcher who disclosed it. The collaborative effort and determination from Collina and Soncina, is quite fascinating. Their effort focuses on flushing out all possible security sinks in the JSON rendering logic in order to make it as fault-tolerant as possible to security issues that may crawl up.
Most interestingly, this security vulnerability report led to:
- A more robust and secure JSON parsing in
fast-json-stringifythat manifests through this pull request on GitHub: https://github.com/fastify/fast-json-stringify/pull/168 and its follow-up official release in version 1.15.3
- A security disclaimer in the documentation that clearly states the concerns and areas of risk so that users of this library will be well-informed on how to handle data. This was introduced through the following pull request: https://github.com/fastify/fastify/commit/a387f0575bab4f3077c374faab680e30931e4036
As I was wrapping up this report and preparing it for disclosure, it became clear to me that we should be doing more to recognize the value of security disclosures. Although the reported issue didn’t directly impact Fastify or
fast-json-stringify, it sparked a meaningful discussion. Most importantly, it promoted awareness among maintainers of security concerns around their code.
More information about the Fastify JSON schema validation and its security concerns are on: https://github.com/fastify/fastify/blob/master/docs/Validation-and-Serialization.md