Search code examples

Fortify error on JSON Injection in Java

I am getting SUBSCRIPTION_JSON from client which I am converting it to String and then setting it to Model Object using gson library. On running the code on Fortify security, It is giving me Json injection error on below code with following message :

Here is the error :

On line 159 of, the method jsonToObject() writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.The method writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.

JSON injection occurs when:

1. Data enters a program from an untrusted source.

In this case the data enters at getString() in **** at line 355.

2. The data is written to a JSON stream.

In this case the JSON is written by fromJson() in **** at line 159.

final String subscriptionJson = subscriptionForm.getString(SUBSCRIPTION_JSON);

public static <T> T jsonToObject(final String jsonString, final Class<T> className) {
        T object = null;
        if (StringUtils.isNotBlank(jsonString)) {
            final Gson gson = (Gson) BeanLocator.getInstance().getBean(GSON);
            object = gson.fromJson(jsonString, className);
        return object;


    "subscriptions": [{
        "attributeId": "1",
        "items": [{
            "strId": "ALL",
            "nodeType": "G"
        }, {
            "strId": "VO_ENTRY_TIMING_DELAY",
            "nodeType": "L"
        }, {
            "strId": "O_INVALID",
            "nodeType": "L"
        }, {
            "strId": "O_LINE_INVALID",
            "nodeType": "L"
        }, {
            "strId": "V_INVALID",
            "nodeType": "L"
        }, {
            "strId": "V_ADDRESS_INVALID",
            "nodeType": "L"
    }, {
        "attributeId": "2001",
        "items": [{
            "strId": "OSTBU",
            "nodeType": "L"


  • You must validate the json received to be sure it contais exactly the expected content before setting it to Model Object. You can implement an validator that checks the json with a patterns of fields/format expected, for example.