Security checks for Json()

[tamalsaha]

In Go's net/http ParseForm() method, the following checks are done:
https://github.com/golang/go/blob/700e969d5b23732179ea86cfe67e8d1a0a1cc10a/src/net/http/request.go#L1176

// For other HTTP methods, or when the Content-Type is not
// application/x-www-form-urlencoded, the request Body is not read, and
// r.PostForm is initialized to a non-nil, empty value.
//
// If the request Body's size has not already been limited by MaxBytesReader,
// the size is capped at 10MB.

Should the similar checks in Request body be done in Json() method, too?

1. Check that request body content type is application/json ?
2. Limit request body size to 10MB ?

[unknwon]

JSON is stream parse, but form parse needs pre-read in https://github.com/golang/go/blob/700e969d5b23732179ea86cfe67e8d1a0a1cc10a/src/net/http/request.go#L1130:6 . MaxBytesReader is sufficient enough.

[tamalsaha]

Sorry, I don't follow. Are you saying that Json() should use a MaxBytesReader to limit excess read?

[unknwon]

In conclusion, yes!