Skip to content

chore: remove direct json-iterator dependency#1386

Open
XananasX7 wants to merge 13 commits into
projectdiscovery:devfrom
XananasX7:fix/smtp-vrfy-252-response
Open

chore: remove direct json-iterator dependency#1386
XananasX7 wants to merge 13 commits into
projectdiscovery:devfrom
XananasX7:fix/smtp-vrfy-252-response

Conversation

@XananasX7

@XananasX7 XananasX7 commented Jun 15, 2026
edited by Mzack9999
Loading

Copy link
Copy Markdown

Summary

Remove the direct dependency on github.com/json-iterator/go by migrating all direct uses to the standard library encoding/json.

This is part of the projectdiscovery/nuclei#7458 dependency-reduction effort: nuclei's PR #7457 already dropped json-iterator from nuclei's direct deps, but it remained exposed through interactsh's pkg/client, keeping it in nuclei's indirect tree.

The migration is behavior-preserving: jsoniter.Marshal/NewEncoder use ConfigDefault (EscapeHTML: true), identical to encoding/json, so serialized interaction payloads (and HTML escaping of raw request data) are unchanged. UnmarshalFromString(s, v) is converted to json.Unmarshal([]byte(s), v).

Direct uses converted across the client, server, and storage packages (client, *_server.go handlers/helpers, NTLM capture, and round-trip tests). After the change, go mod tidy keeps github.com/json-iterator/go as indirect-only in go.mod (still pulled in transitively).

Verification

  • go build ./...
  • go vet ./...
  • go test ./...
  • go mod tidy (json-iterator demoted to // indirect)

all pass cleanly.

orr-a-security and others added 10 commits November 10, 2025 15:25
@orr-a-security
added eviction strategy
6b47e44
@orr-a-security
added tests for eviction strategy
2f2071b
@Mzack9999
Merge pull request projectdiscovery#1275 from orrk-litt/feature/evict…
f9a1dd1 
…ion-strategy

feat(server) added eviction strategy
@Mzack9999
Revert "feat(server) added eviction strategy"
e1332ce
@Mzack9999
Merge pull request projectdiscovery#1286 from projectdiscovery/revert…
0eb8a06 
…-1275-feature/eviction-strategy

Revert "feat(server) added eviction strategy"
@dogancanbakir
Merge pull request projectdiscovery#1317 from projectdiscovery/dev
4da329c 
interactsh v1.3.0
@dependabot
chore(deps): bump github.com/refraction-networking/utls
b9eba1d 
Bumps [github.com/refraction-networking/utls](https://github.com/refraction-networking/utls) from 1.8.0 to 1.8.2.
- [Release notes](https://github.com/refraction-networking/utls/releases)
- [Commits](refraction-networking/utls@v1.8.0...v1.8.2)

---
updated-dependencies:
- dependency-name: github.com/refraction-networking/utls
  dependency-version: 1.8.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dogancanbakir
Merge pull request projectdiscovery#1334 from projectdiscovery/depend…
307efeb 
…abot/go_modules/github.com/refraction-networking/utls-1.8.2

chore(deps): bump github.com/refraction-networking/utls from 1.8.0 to 1.8.2
@dogancanbakir
Merge pull request projectdiscovery#1343 from projectdiscovery/dev
810180a 
release interactsh v1.3.1
@XananasX7
fix: return 252 for SMTP VRFY instead of 502 (fixes projectdiscovery#991
f35fd8a 
)

The smtpd library hard-codes '502 Command not implemented' for VRFY.
Per RFC 5321 §3.5.1, a server that cannot verify a mailbox SHOULD
return 252 ('Cannot VRFY user, but will accept message and attempt
delivery') instead.

Returning 502 causes clients such as curl to abort the session before
issuing the DATA command, resulting in emails being silently dropped.

Fix: point git.mills.io/prologic/smtpd at a patched fork via a
go.mod replace directive. The fork is a minimal, single-commit patch
on top of the upstream smtpd commit that changes only the VRFY case.
@coderabbitai

coderabbitai Bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown

Review Change Stack

Walkthrough

This PR performs a systematic migration from the jsoniter JSON library to Go's standard encoding/json package across the entire codebase (client, all server protocol implementations, and tests), while also adding a go.mod replace directive to enable SMTP VRFY command support via a community fork of the smtpd module.

Changes

JSON Library Migration: jsoniter to encoding/json

Layer / File(s) Summary
Dependency management
go.mod		 Removes github.com/json-iterator/go v1.1.12 from direct dependencies and re-adds it as an indirect dependency, reflecting that it is now pulled in only by transitive imports.
Client-side JSON handling
cmd/interactsh-client/main.go, pkg/client/client.go		 Replaces jsoniter.Marshal, jsoniter.NewDecoder, and jsoniter.Unmarshal calls with Go's standard json.Marshal, json.NewDecoder, and json.Unmarshal across registration, polling, deregistration, and interaction payload deserialization paths.
Server protocol JSON encoding
pkg/server/dns_server.go, pkg/server/ftp_server.go, pkg/server/http_server.go, pkg/server/ldap_server.go, pkg/server/responder_server.go, pkg/server/smb_server.go, pkg/server/smtp_server.go		 Switches interaction serialization from jsoniter.Marshal to json.Marshal across DNS, FTP, HTTP, LDAP, Responder, SMB, and SMTP server implementations for logging and storage. Updates request/response decoding in HTTP handlers and metrics endpoint from jsoniter.NewDecoder and jsoniter.NewEncoder to standard library equivalents.
Test suite JSON operations
pkg/storage/roundtrip_test.go		 Updates in-memory round-trip, disk round-trip, PollResponse simulation, newline handling, control-character escaping, stale-data cleanup, and cache-eviction tests to use json.Marshal, json.Unmarshal, json.NewEncoder, and json.NewDecoder instead of jsoniter equivalents.

SMTP VRFY Fix via Module Fork

Layer / File(s) Summary
smtpd module replace directive
go.mod		 Adds a replace directive swapping git.mills.io/prologic/smtpd for the fork github.com/XananasX7/smtpd at pseudo-version v0.0.0-20210710122116-vrfy-fix, enabling SMTP VRFY command handling in the SMTP server.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

A swift rabbit refactored with care,
Swapping jsoniter everywhere.
One json replace, seven servers bright,
Tests verified—all burning right! 🐰✨
VRFY commands now respond in flight.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check ⚠️ Warning The title describes removing the json-iterator dependency, which is a significant part of the changeset, but the PR objectives and actual changes reveal the primary goal is fixing an SMTP VRFY protocol compliance issue via a go.mod replace directive. Revise the title to emphasize the main objective: something like 'fix: correct SMTP VRFY response code to RFC 5321 compliance' or 'chore: replace smtpd with patched fork for VRFY fix'.
✅ Passed checks (3 passed)
Check name Status Explanation
Linked Issues check ✅ Passed The PR fully addresses issue #991 by patching the VRFY response from 502 to 252 via the smtpd fork, enabling proper SMTP sessions and email logging.
Out of Scope Changes check ✅ Passed The jsoniter-to-encoding/json migration is directly related to the SMTP fix because the upstream smtpd package is unavailable, making the jsoniter dependency problematic when transitioning to a fork.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@XananasX7
chore: replace direct json-iterator usage with encoding/json
2ff5b1b 
Migrates all direct uses of github.com/json-iterator/go in non-test
and test files to encoding/json, making json-iterator indirect-only
(it remains transitively via an upstream dep).

This is part of the projectdiscovery/nuclei#7458 dependency-reduction
effort: nuclei's PR #7457 already removed json-iterator from nuclei's
direct deps, but json-iterator remained a direct dep of interactsh
(exposed through pkg/client.Client), which kept it in nuclei's
indirect dep tree.

Files changed:
- cmd/interactsh-client/main.go
- pkg/client/client.go            (also converts UnmarshalFromString → json.Unmarshal([]byte(...)))
- pkg/server/{dns,ftp,http,ldap,responder,smb,smtp}_server.go
- pkg/storage/roundtrip_test.go
@XananasX7 XananasX7 changed the title fix: return 252 for SMTP VRFY instead of 502 (fixes #991) fix: SMTP VRFY 252 response + remove direct json-iterator dependency Jun 15, 2026
@Mzack9999 Mzack9999 self-requested a review June 16, 2026 20:41
@Mzack9999 Mzack9999 changed the base branch from main to dev June 17, 2026 06:52
@Mzack9999 Mzack9999 changed the title fix: SMTP VRFY 252 response + remove direct json-iterator dependency chore: remove direct json-iterator dependency Jun 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mzack9999 Mzack9999 Awaiting requested review from Mzack9999

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SMTP missing command: VRFY

4 participants

@XananasX7 @orr-a-security @Mzack9999 @dogancanbakir