Is sanitizing JSON necessary?

I think it's a well-known best practice on the web to mistrust any input. The sentence

"All input is evil."

is probably the most cited quote with respect to input validation. Now, for HTML you can use tools such as DOMPurify to sanitize it.

My question is, if I have a Node.js server running Express and body-parser middleware to receive and parse JSON, do I need to run any sanitizing as well?

My (maybe naive?) thoughts on this are that JSON is only data, no code, and if somebody sends invalid JSON, body-parser (which uses JSON.parse() internally) will fail anyway, so I know that my app will receive a valid JavaScript object. As long as I don't run eval on that or call a function, I should be fine, shouldn't I?

Am I missing something?

Since JSON.parse() does not run any code, it is not vulnerable the way eval() is, but there are still things you should do to protect the integrity of your server and application such as:

  1. Apply exception handlers in the appropriate place as JSON.parse() can throw an exception.
  2. Don't make assumptions about what data is there, you must explicitly test for data before using it.
  3. Only process properties you are specifically looking for (avoiding other things that might be in the JSON).
  4. Validate all incoming data as legitimate, acceptable values.
  5. Sanitize the length of data (to prevent DOS issues with overly large data).
  6. Don't put this incoming data into places where it could be further evaluated such as directly into the HTML of the page or injected directly into SQL statements without further sanitization to make sure it is safe for that environment.

So, to answer your question directly, "yes" there is more to do than just using body-parser though it is a perfectly fine front line for first processing the data. The next steps for what you do with the data once you get it from body-parser do matter in many cases and can require extra care.

As long as you're using JSON.parse no code will be evaluated

You should still whitelist any key:value pairs you want to accept from the parsed result though

You should be fine. Early users of JSON would often call eval() on the received string, which is of course a huge security hole. But JSON.parse, as you state, handles the majority of these kinds of sanity checks.

As long as you make sure not to take something out of a received JSON object and pass it directly into a sql query, for example, you should be fine.