-
|
When doing some testing the other day, I noticed that JSON data that contains more fields than a struct is accepted into the struct, while only ones that do not fulfill all the structs fields are rejected- this seems like it has the potential to be a security flaw, though I'm unsure what exactly is happening in the abstraction layer, and if it is safe or unsafe. Just wondering if someone knowledgeable in this area might have some idea as to why this happens, if it's really okay, or maybe could point me in a direction where to look myself. Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Unlike what is possible in JavaScript, having extra JSON fields is not going to cause any security issues in a Rust app. However, you can opt-in to disallowing them using the standard serde You can also choose to collect the unknown fields if you want to inspect them for some reason by adding an extra field to your struct: #[derive(Debug, Deserialize)]
struct Foo {
// ...
#[serde(flatten)]
extra_fields: HashMap<String, serde_json::Value>,
} |
Beta Was this translation helpful? Give feedback.
-
|
thanks for the quick reply! |
Beta Was this translation helpful? Give feedback.
Unlike what is possible in JavaScript, having extra JSON fields is not going to cause any security issues in a Rust app. However, you can opt-in to disallowing them using the standard serde
deny_unknown_fieldsattribute.You can also choose to collect the unknown fields if you want to inspect them for some reason by adding an extra field to your struct: