Author DustinMoriarty
Recipients DustinMoriarty
Date 2020-10-10.13:22:37
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1602336157.61.0.232979425714.issue41998@roundup.psfhosted.org>
In-reply-to
Content
It is possible to inject data while encoding json when a string is passed to the indent argument. 

Here is an example of an injection attack.

```python
import json

data = {"a": "original data"}
indent = '"b": "injected data",\n'
json_string = json.dumps(data, indent=indent)
print(json_string)
```

Output:
```
{
"b": "injected data",
"a": "original data"
}
```

This is a vulnerability because it is common for CLI and web frameworks to use string as the default data type for arguments. The vulnerability is more likely to be realized for CLI applications where there is more likely to be a use case for exposing the indent parameter to external users in order to control the json output. While this could be prevented by the application using the json encoder, the potential attach vector is not obvious or clear to developers. I cannot see any use case for allowing strings to be passed as indent, so I propose that indent is cast to integer on __init__ of the encoder. I will submit a corresponding PR.
History
Date User Action Args
2020-10-10 13:22:37DustinMoriartysetrecipients: + DustinMoriarty
2020-10-10 13:22:37DustinMoriartysetmessageid: <1602336157.61.0.232979425714.issue41998@roundup.psfhosted.org>
2020-10-10 13:22:37DustinMoriartylinkissue41998 messages
2020-10-10 13:22:37DustinMoriartycreate