ASP.NET Web API Return JSON as an object

Question

Currently the Web API which queries the Oracle DB is returning the result in the JSON in the below format.

[{"CATEGORY":"Internal Study","SESSION_NUMBER":7,"SESSION_START_DATE":"2015-02-13T00:00:00","SESSION_START_TIME":"2015-02-13T10:33:59.288394"}]

Below is the code we are using

public class SampleController : ApiController
{
  public HttpResponseMessage Getdetails([FromUri] string[] id)
   {
     using (OracleConnection dbconn = new OracleConnection("DATA SOURCE=J;PASSWORD=C;PERSIST SECURITY INFO=True;USER ID=T"))
      {
     var inconditions = id.Distinct().ToArray();
    var srtcon = string.Join(",", inconditions);
    DataSet userDataset = new DataSet();
    var strQuery = @"SELECT * from STCD_PRIO_CATEGORY where STPR_STUDY.STD_REF IN(" + srtcon + ")";
    OracleCommand selectCommand = new OracleCommand(strQuery, dbconn);
    OracleDataAdapter adapter = new OracleDataAdapter(selectCommand);
    DataTable selectResults = new DataTable();
    adapter.Fill(selectResults);
    var response = Request.CreateResponse(HttpStatusCode.OK, selectResults,MediaTypeHeaderValue.Parse("application/json"));
    ContentDispositionHeaderValue contentDisposition = null;
    if (ContentDispositionHeaderValue.TryParse("inline; filename=ProvantisStudyData.json", out contentDisposition))
    {
       response.Content.Headers.ContentDisposition = contentDisposition;
    }
    return response;
 }
}

But the Client which has the Script which consumes the file says that JSON structure being an array instead of an object is a security hole.

  {"data":[{"CATEGORY":"Internal Study","SESSION_NUMBER":7,"SESSION_START_DATE":"2015-02-13T00:00:00","SESSION_START_TIME":"2015-02-13T10:33:59.288394"}]}

I am new to this JSON structure and not sure how we will be manipulate the returned data as an object in JSON File

What do you mean by "client" here? Who says this is a security hole? — DavidG, Jul 31 '16 at 23:55
I see that the top one is the returned one now, the bottom one is what you want :P The security hole is that a top level JSON array can be hijacked as it is a valid JavaScript script, where as a JSON object is not. — starlight54, Aug 01 '16 at 00:00
@starlight54 Are you sure? http://stackoverflow.com/questions/16289894/is-json-hijacking-still-an-issue-in-modern-browsers — DavidG, Aug 01 '16 at 00:06
@starlight54 Exactly. The top one is currently being returned as an array but the data will be executed in the browser as part of a script. They want now as an object — trx, Aug 01 '16 at 00:08
@DavidG There'll be a douche somewhere who's still running an ancient browser on Windows ME, of course it's their fault then, but it's a minor inconvenience to avoid the use of top level JSON arrays, and because they're valid JS, other vulnerabilities could be found or introduced later. — starlight54, Aug 01 '16 at 00:22
@starlight54 Maybe, but why should anyone support browsers that are a decade old? Let them worry about their own security risks. They've got bigger problems than worrying about JSON hacking. — DavidG, Aug 01 '16 at 00:25
@starlight54 how will be converting the JSON array in to the Object. Any help is greatly appreciated. — trx, Aug 01 '16 at 12:48
See this to deseralize ur json http://www.newtonsoft.com/json/help/html/deserializeobject.htm — Eldho, Aug 01 '16 at 13:10

jthomperoo · Accepted Answer · 2016-08-01T12:59:56.077

4

I haven't heard of any security issue around an array within the JSON, however if you need to convert it to a JSON object you could use a generic object that you define:

var returnObject = new
{
    selectResults = selectResults
};

This will add the JSON object wrapping you want onto the response, which you can then use this code to build your response:

var response = Request.CreateResponse(HttpStatusCode.OK, returnObject,MediaTypeHeaderValue.Parse("application/json"));

Sorry if I have misunderstood what you are asking for - hope this helps/works.

edited Aug 01 '16 at 12:59

answered Aug 01 '16 at 00:09

jthomperoo

93
1
7

Thank you. But do we assign selectResults to itself? Also it says type expected in the new() – trx Aug 01 '16 at 12:47
Sorry, the code I provided had an extra '()' in it after the 'new' - this isn't needed; I have amended my solution to fix this and it should work now, I tested it out myself. Also - the 'selectResults' that is being assigned to in the new object will be the name of the JSON property; in " {"data":[{"CATEGORY":"Internal Study","SESSION_NUMBER":7,"SESSION_START_DATE":"2015-02-13T00:00:00","SESSION_START_TIME":"2015-02-13T10:33:59.288394"}]} " it would be in the position the 'data' tag is. – jthomperoo Aug 01 '16 at 13:00
Almost there, to change the name to data change your code to the following: var returnObject = new { data = selectResults }; this will change the name of the JSON object to 'data' – jthomperoo Aug 01 '16 at 13:49

ASP.NET Web API Return JSON as an object

1 Answers1