Stop Axum’s JSON extractor from reporting errors that give hackers clues to what they're doing wrong

[softwarenerd]

Summary

Hello,

Preface: I'm very new to all this: Rust, Axum, etc.

See: #1116 (comment)

I think it's great that Axum's JSON extractor reports errors, but I don't want this behavior in my production application because it can be used by hackers to figure out, step-by-step, what they're doing wrong.

For example, suppose my REST API is accepting a PUT of:

struct Favorites {
    email_address: String,
    favorite_food: String,
    favorite_color: String,
    favorite_ice_cream: String,
}

Via this handler:

async fn update_favorites(
    Json(payload): Json<Favorites>
) -> impl IntoResponse {
    // insert your application logic here
    StatusCode::OK
}

All a hacker has to do is start making PUTs and they'll receive detailed instructions on how to construct the appropriate data structure.

PUT an empty JSON body and you'll be told:

Failed to deserialize the JSON body into the target type: missing field `email_address` at line 2 column 1

PUT a JSON body with email_address filled in, and you'll be told:

Failed to deserialize the JSON body into the target type: missing field `favorite_food` at line 3 column 1

And so on.

The REST API I'm building is not for the peoples. 🙂 It's for my application alone.

There doesn't seem to be a good way to prevent this from happening. All the Gen AI answers I get for this question don't compile or involve a lot of complexity (such as building my own custom JSON extractor), and I'm looking for an easier, simpler way to turn these JSON extraction errors off, and possibly other errors like them I'm not aware of.

What I came up with was building a middleware that does this:

pub async fn strip_error_body(req: Request, next: Next) -> Result<Response, (StatusCode, String)> {
    // Call the next middleware or handler.
    let mut res = next.run(req).await;

    // If the response code indicates an error occurred, replace
    // the response with a new one that has an empty body.
    if res.status() >= StatusCode::BAD_REQUEST {
        res = Response::builder()
            .status(res.status())
            .body(Body::empty())
            .unwrap();
    }

    Ok(res)
}

So, my questions are: 1) Does this seem like a good solution? 2) Should Axum provide a way to do this?

Thanks!

axum version

0.8.3

[mladedav]

First and foremost, don't build your security on an assumption that an attacker does not know your payload schema. If you want to have at least basic security, assume they have access to the source code.

For your actual question, see WithRejection and specifically the customize-extractor-error example.

[jplatte]

To add to this, if you make your own Json extractor and want to enforce that it is used throughout your code base instead of axum's, you can set up clippy and configure it to disallow axum::Json.

[softwarenerd]

First and foremost, don't build your security on an assumption that an attacker does not know your payload schema. If you want to have at least basic security, assume they have access to the source code.

For your actual question, see WithRejection and specifically the customize-extractor-error example.

I am not relying on this for security. As I tried to make clear, I just don't want these errors to be returned because, as the developer of the service, that's how I want things to work.

[softwarenerd]

OK, so I wound up with this:

use axum::{
    extract::{FromRequest, Request, rejection::JsonRejection},
    http::StatusCode,
};

pub struct NoErrorInfoJson<T>(pub T);

impl<S, T> FromRequest<S> for NoErrorInfoJson<T>
where
    axum::Json<T>: FromRequest<S, Rejection = JsonRejection>,
    S: Send + Sync,
{
    type Rejection = StatusCode;

    async fn from_request(req: Request, state: &S) -> Result<Self, Self::Rejection> {
        let (parts, body) = req.into_parts();
        let req = Request::from_parts(parts, body);
        match axum::Json::<T>::from_request(req, state).await {
            Ok(value) => Ok(Self(value.0)),
            Err(rejection) => Err(rejection.status()),
        }
    }
}

Which does what I want. As I said, I'm pretty new to Rust and Axum. Do I have the optimal implementation?

Thanks!

[jplatte]

You can remove the first two lines of the method body, they do nothing. You only need that match.

Also, I would not use an axum::Json<T>: FromRequest bound like that, instead copying the upstream bound of T: DeserializeOwned.

Finally, you don't really need to pass the state along, since axum::Json doesn't use it. I'd declare it as _: &S and pass &() to FromRequest, or to make it look nicer import axum::RequestExt and make the match scrutinee req.extract::<axum::Json<T>>().await.

[softwarenerd]

You can remove the first two lines of the method body, they do nothing. You only need that match.

Also, I would not use an axum::Json<T>: FromRequest bound like that, instead copying the upstream bound of T: DeserializeOwned.

Finally, you don't really need to pass the state along, since axum::Json doesn't use it. I'd declare it as _: S and pass &() to FromRequest, or to make it look nicer import axum::RequestExt and make the match scrutinee req.extract::<axum::Json<T>>().await.

Thank you, @jplatte. This feedback will help me learn more about what's actually going on.