Все Едно Все Едно - 6 months ago 44
Javascript Question

Unable to parse bulk JSON POST request to Kinvey back-end

When I try to parse this JSON:

[
{"name":"name1","id":12},
{"name":"name2","id":11},
{"name":"name3","id":111},
{"name":"name4","id":1115}
]


in a POST request to Kinvey's BAAS, I get the error:

{
"error": "Unable to parse the JSON in the request"
}


Here is a screenshot of my back-end (Kinvey).

Here is a screenshot of my request (Postman).

When I send the single entity
{"name":"name1","id":12}
it doesn't throw an error and places it in the back-end as it should. Picture here: Kinvey worked

Answer

As a security measure, some frameworks won't parse top-level arrays as JSON. Doing so enabled exploits in some older browsers.

The exploit goes something like this:

  1. Write some Javascript that replaces Array with a function that stores its contents to some other variable.

  2. In your malicious site, include a request to some privileged (JSON Array) resource on another server using a <script> tag.

  3. Trick a user with privileges on that server into visiting your site.

The requested resource will be pulled from the benign server, loaded in the user's browser as a script, and evaluated— but the array gets handled by your malicious substitute function, which you can use however you like. A form of cross-site request forgery.

Update

Regarding the question, "how do I upload multiple entities to a Kinvey collection?", the answer is in the Kinvey documentation:

"For bulk upload, see the CSV/JSON import feature on the Kinvey console (navigate to the collection, click Settings, then click Import Data)."