Bash – Sanitize JSON for sending with Curl

bashcurljson

I have to send a POST request to some service with JSON payload, and it includes some user input. That input variable needs to be JSON-encoded to prevent injection attacks.

Code example that sends requests and parses response JSON to RESP variable:

RESP=`curl --connect-timeout "10" -s -H "Content-Type: application/json" \
        -X POST -d '{ "Attribute": '"'$USERINPUT'" }',\
        $ENDPOINT | $JQ -r '.key'`

How to sanitize, or JSON encode, $USERINPUT before creating JSON payload?

Best Answer

Using the jo utility, the sanitized JSON document could be constructed using

data=$( jo Attribute="$USERINPUT" )

You would then use -d "$data" with curl to pass this to the end point.

Old answer using jq instead of jo:

Using jq:

USERINPUT=$'a e""R<*&\04\n\thello!\''

This string has a couple of double quotes, an EOT character, a newline, a tab and a single quote, along with some ordinary text.

data="$( jq --null-input --compact-output --arg str "$USERINPUT" '{"Attribute": $str}' )"

This builds a JSON object containing the user data as the value for the lone Attribute field.

The same thing using short options:

data="$( jq -nc --arg str "$USERINPUT" '{"Attribute": $str}' )"

From this we get

{"Attribute":"ae\"\"R<*&\u0004\n\thello!'"}

as the value in $data.

This can now be used in your call to curl:

RESP="$( curl --connect-timeout "10" -s \
           -H "Content-Type: application/json" \
           -X POST -d "$data" \
           "$ENDPOINT" | jq -r '.key' )"

Related Solutions

Sending CURL request with custom IP

You can using the -H/--header argument:

You could spoof your ip address:

curl --header "X-Forwarded-For: 192.168.0.2" http://example.com

Example:
client

$ curl http://webhost.co.uk

web host

$ tailf access.log | grep 192.168.0.54   
192.168.0.54 - - [10/Nov/2014:15:56:09 +0000] "GET / HTTP/1.1" 200 14328 "-"   
"curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3   
libidn/1.18 libssh2/1.4.2"

client with ip address changed

$ curl --header "X-Forwarded-For: 192.168.0.99" http://webhost.co.uk

web host

$ tailf access.log | grep 192.168.0.99  
192.168.0.99 - - [10/Nov/2014:15:56:43 +0000] "GET / HTTP/1.1" 200  
14328 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0  
zlib/1.2.3 libidn/1.18 libssh2/1.4.2"

man curl

 -H/--header <header>
              (HTTP)  Extra header to use when getting a web page. You may
              specify any number of extra headers. Note that if you should add
              a custom header that has the same name as one of the internal
              ones curl would use, your externally set header  will  be  used
              instead  of the internal one. This allows you to make even
              trickier stuff than curl would normally do. You should not
              replace internally set headers without knowing perfectly well
              what you’re doing. Remove an internal header by  giving  a
              replacement without content on the right side of the colon,
              as in: -H "Host:".

References:

Modify_method_and_headers

Best Answer

Related Solutions

Sending CURL request with custom IP

Related Question