New submission from Dustin Moriarty <dustin.moria...@protonmail.com>:
It is possible to inject data while encoding json when a string is passed to
the indent argument.
Here is an example of an injection attack.
```python
import json
data = {"a": "original data"}
indent = '"b": "injected data",\n'
json_string = json.dumps(data, indent=indent)
print(json_string)
```
Output:
```
{
"b": "injected data",
"a": "original data"
}
```
This is a vulnerability because it is common for CLI and web frameworks to use
string as the default data type for arguments. The vulnerability is more likely
to be realized for CLI applications where there is more likely to be a use case
for exposing the indent parameter to external users in order to control the
json output. While this could be prevented by the application using the json
encoder, the potential attach vector is not obvious or clear to developers. I
cannot see any use case for allowing strings to be passed as indent, so I
propose that indent is cast to integer on __init__ of the encoder. I will
submit a corresponding PR.
----------
components: Library (Lib)
messages: 378395
nosy: DustinMoriarty
priority: normal
severity: normal
status: open
title: JSON Encoder Injection Using Indent
type: security
versions: Python 3.10, Python 3.5, Python 3.6, Python 3.7, Python 3.8, Python
3.9
_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue41998>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
