Fixed dupe mitigate security section

wadepickett · wadepickett · commit 6f9b1faef18b · 2025-06-12T15:20:04.000-07:00
diff --git a/aspnetcore/web-api/jsonpatch/includes/jsonpatch9.md b/aspnetcore/web-api/jsonpatch/includes/jsonpatch9.md
@@ -532,57 +532,4 @@ To test the sample, run the app and send HTTP requests with the following settin
 * Body: Copy and paste one of the JSON patch document samples from the *JSON* project folder.
 
 :::moniker-end
-## Mitigating security risks
-
-When using the `Microsoft.AspNetCore.JsonPatch` package with the `Newtonsoft.Json`-based implementation, it's critical to understand and mitigate potential security risks. The following sections outline the identified security risks associated with JSON Patch and provide recommended mitigations to ensure secure usage of the package.
-
-> [!IMPORTANT]
-> ***This is not an exhaustive list of threats.*** App developers must conduct their own threat model reviews to determine an app-specific comprehensive list and come up with appropriate mitigations as needed. For example, apps which expose collections to patch operations should consider the potential for algorithmic complexity attacks if those operations insert or remove elements at the beginning of the collection.
-
-By running comprehensive threat models for their own apps and addressing identified threats while following the recommended mitigations below, consumers of these packages can integrate JSON Patch functionality into their apps while minimizing security risks.
-
-### Denial of Service (DoS) via memory amplification
-
-* **Scenario**: A malicious client submits a `copy` operation that duplicates large object graphs multiple times, leading to excessive memory consumption.
-* **Impact**: Potential Out-Of-Memory (OOM) conditions, causing service disruptions.
-* **Mitigation**:
-  * Validate incoming JSON Patch documents for size and structure before calling `ApplyTo`.
-  * The validation needs to be app specific, but an example validation can look similar to the following:
-
-```csharp
-public void Validate(JsonPatchDocument patch)
-{
-    // This is just an example. It's up to the developer to make sure that
-    // this case is handled properly, based on the app needs.
-    if (patch.Operations.Where(op => op.OperationType == OperationType.Copy).Count()
-                              > MaxCopyOperationsCount)
-    {
-        throw new InvalidOperationException();
-    }
-}
-```
-
-### Business Logic Subversion
-
-* **Scenario**: Patch operations can manipulate fields with implicit invariants (for example, internal flags, IDs, or computed fields), violating business constraints.
-* **Impact**: Data integrity issues and unintended app behavior.
-* **Mitigation**:
-  * Use POCO objects with explicitly defined properties that are safe to modify.
-  * Avoid exposing sensitive or security-critical properties in the target object.
-  * If no POCO object is used, validate the patched object after applying operations to ensure business rules and invariants aren't violated.
-
-### Authentication and authorization
-
-* **Scenario**: Unauthenticated or unauthorized clients send malicious JSON Patch requests.
-* **Impact**: Unauthorized access to modify sensitive data or disrupt app behavior.
-* **Mitigation**:
-  * Protect endpoints accepting JSON Patch requests with proper authentication and authorization mechanisms.
-  * Restrict access to trusted clients or users with appropriate permissions.
-
-## Additional resources
-
-* [IETF RFC 5789 PATCH method specification](https://tools.ietf.org/html/rfc5789)
-* [IETF RFC 6902 JSON Patch specification](https://tools.ietf.org/html/rfc6902)
-* [IETF RFC 6901 JSON Patch path format spec](https://tools.ietf.org/html/rfc6901)
-* [ASP.NET Core JSON Patch source code](https://github.com/dotnet/AspNetCore/tree/main/src/Features/JsonPatch/src)
 
