Title: JSON Encoder Injection Using Indent
Type: security Stage: resolved
Components: Library (Lib) Versions: Python 3.10, Python 3.9, Python 3.8, Python 3.7, Python 3.6, Python 3.5
Status: closed Resolution: not a bug
Dependencies: Superseder:
Assigned To: Nosy List: DustinMoriarty, serhiy.storchaka
Priority: normal Keywords:

Created on 2020-10-10 13:22 by DustinMoriarty, last changed 2020-10-10 13:39 by DustinMoriarty. This issue is now closed.

Messages (3)
msg378395 - (view) Author: Dustin Moriarty (DustinMoriarty) Date: 2020-10-10 13:22
It is possible to inject data while encoding json when a string is passed to the indent argument. 

Here is an example of an injection attack.

import json

data = {"a": "original data"}
indent = '"b": "injected data",\n'
json_string = json.dumps(data, indent=indent)

"b": "injected data",
"a": "original data"

This is a vulnerability because it is common for CLI and web frameworks to use string as the default data type for arguments. The vulnerability is more likely to be realized for CLI applications where there is more likely to be a use case for exposing the indent parameter to external users in order to control the json output. While this could be prevented by the application using the json encoder, the potential attach vector is not obvious or clear to developers. I cannot see any use case for allowing strings to be passed as indent, so I propose that indent is cast to integer on __init__ of the encoder. I will submit a corresponding PR.
msg378400 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2020-10-10 13:33
The code works as expected. I do not think there is a problem with the json module. If some application accepts user input and use it without validation to control the formatting of sensitive data, it is a vulnerability in this application, not in tools which it uses.
msg378402 - (view) Author: Dustin Moriarty (DustinMoriarty) Date: 2020-10-10 13:39
Sounds good. If this is the design intent, then we can close the issue.
Date User Action Args
2020-10-10 13:39:13DustinMoriartysetstatus: open -> closed
resolution: not a bug
messages: + msg378402

stage: resolved
2020-10-10 13:33:34serhiy.storchakasetnosy: + serhiy.storchaka
messages: + msg378400
2020-10-10 13:22:37DustinMoriartycreate