[issue41998] JSON Encoder Injection Using Indent

2020-10-10 Thread Dustin Moriarty 


Dustin Moriarty  added the comment:

Sounds good. If this is the design intent, then we can close the issue.

--
resolution:  -> not a bug
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41998] JSON Encoder Injection Using Indent

2020-10-10 Thread Serhiy Storchaka 


Serhiy Storchaka  added the comment:

The code works as expected. I do not think there is a problem with the json 
module. If some application accepts user input and use it without validation to 
control the formatting of sensitive data, it is a vulnerability in this 
application, not in tools which it uses.

--
nosy: +serhiy.storchaka

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41998] JSON Encoder Injection Using Indent

2020-10-10 Thread Dustin Moriarty 


New submission from Dustin Moriarty :

It is possible to inject data while encoding json when a string is passed to 
the indent argument. 

Here is an example of an injection attack.

```python
import json

data = {"a": "original data"}
indent = '"b": "injected data",\n'
json_string = json.dumps(data, indent=indent)
print(json_string)
```

Output:
```
{
"b": "injected data",
"a": "original data"
}
```

This is a vulnerability because it is common for CLI and web frameworks to use 
string as the default data type for arguments. The vulnerability is more likely 
to be realized for CLI applications where there is more likely to be a use case 
for exposing the indent parameter to external users in order to control the 
json output. While this could be prevented by the application using the json 
encoder, the potential attach vector is not obvious or clear to developers. I 
cannot see any use case for allowing strings to be passed as indent, so I 
propose that indent is cast to integer on __init__ of the encoder. I will 
submit a corresponding PR.

--
components: Library (Lib)
messages: 378395
nosy: DustinMoriarty
priority: normal
severity: normal
status: open
title: JSON Encoder Injection Using Indent
type: security
versions: Python 3.10, Python 3.5, Python 3.6, Python 3.7, Python 3.8, Python 
3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com