/ 
Amon2-6.14
⭐ Starred 163 / Amon2::Plugin::Web::JSON
Security Advisories (1)
CVE-2025-15604 (2026-03-28)

Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions. In versions 6.06 through 6.16, the random_string function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes by concatenating a SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Before version 6.06, there was no fallback when /dev/urandom was not available. Before version 6.04, the random_string function used the built-in rand() function to generate a mixed-case alphanumeric string. This function may be used for generating session ids, generating secrets for signing or encrypting cookie session data and generating tokens used for Cross Site Request Forgery (CSRF) protection.

NAME

Amon2::Plugin::Web::JSON - JSON plugin

SYNOPSIS

use Amon2::Lite;

__PACKAGE__->load_plugins(qw/Web::JSON/);

get '/' => sub {
    my $c = shift;
    return $c->render_json(+{foo => 'bar'});
};

__PACKAGE__->to_app();

DESCRIPTION

This is a JSON plugin.

METHODS

$c->render_json(\%dat);

Generate JSON data from \%dat and returns instance of Plack::Response.

PARAMETERS

status_code_field

It specify the field name of JSON to be embedded in the 'X-API-Status' header. Default is undef. If you set the undef to disable this 'X-API-Status' header.

__PACKAGE__->load_plugins(
    'Web::JSON' => { status_code_field => 'status' }
);
...
$c->render_json({ status => 200, message => 'ok' })
# send response header 'X-API-Status: 200'

In general JSON API error code embed in a JSON by JSON API Response body. But can not be logging the error code of JSON for the access log of a general Web Servers. You can possible by using the 'X-API-Status' header.

canonical

If canonical parameter is true, then this plugin will output JSON objects by sorting their keys. This is adding a comparatively high overhead.

__PACKAGE__->load_plugins(
    'Web::JSON' => { canonical => 1 }
);
...
$c->render_json({ b => 1, c => 1, a => 1 });
# json response is '{ "a" : 1, "b" : 1, "c" : 1 }'

FAQ

How can I use JSONP?

You can use JSONP by using Plack::Middleware::JSONP.

JSON and security

Browse the JSON files directly.

This module escapes '<', '>', and '+' characters by "\uXXXX" form. Browser don't detects the JSON as HTML.

And also this module outputs X-Content-Type-Options: nosniff header for IEs.

It's good enough, I hope.

JSON Hijacking

Latest browsers doesn't have a JSON hijacking issue(I hope). __defineSetter__ or UTF-7 attack was resolved by browsers.

But Firefox<=3.0.x and Android phones have issue on Array constructor, see http://d.hatena.ne.jp/ockeghem/20110907/p1.

Firefox<=3.0.x was outdated. Web application developers doesn't need to add work-around for it, see http://en.wikipedia.org/wiki/Firefox#Version_release_table.

Amon2::Plugin::Web::JSON have a JSON hijacking detection feature. Amon2::Plugin::Web::JSON returns "403 Forbidden" response if following pattern request.

The request have 'Cookie' header.
The request doesn't have 'X-Requested-With' header.
The request contains /android/i string in 'User-Agent' header.
Request method is 'GET'

See also the hasegawayosuke's article(Japanese).

FAQ

HOW DO YOU CHANGE THE HTTP STATUS CODE FOR JSON?

render_json method returns instance of Plack::Response. You can modify the response object.

Here is a example code:

get '/' => sub {
    my $c = shift;
    if (-f '/tmp/maintenance') {
        my $res = $c->render_json({err => 'Under maintenance'});
        $res->status(503);
        return $res;
    }
    return $c->render_json({err => undef});
};

THANKS TO

hasegawayosuke