[issue41998] JSON Encoder Injection Using Indent
Dustin Moriarty
report at bugs.python.org
Sat Oct 10 09:22:37 EDT 2020
New submission from Dustin Moriarty <dustin.moriarty at protonmail.com>:
It is possible to inject data while encoding json when a string is passed to the indent argument.
Here is an example of an injection attack.
```python
import json
data = {"a": "original data"}
indent = '"b": "injected data",\n'
json_string = json.dumps(data, indent=indent)
print(json_string)
```
Output:
```
{
"b": "injected data",
"a": "original data"
}
```
This is a vulnerability because it is common for CLI and web frameworks to use string as the default data type for arguments. The vulnerability is more likely to be realized for CLI applications where there is more likely to be a use case for exposing the indent parameter to external users in order to control the json output. While this could be prevented by the application using the json encoder, the potential attach vector is not obvious or clear to developers. I cannot see any use case for allowing strings to be passed as indent, so I propose that indent is cast to integer on __init__ of the encoder. I will submit a corresponding PR.
----------
components: Library (Lib)
messages: 378395
nosy: DustinMoriarty
priority: normal
severity: normal
status: open
title: JSON Encoder Injection Using Indent
type: security
versions: Python 3.10, Python 3.5, Python 3.6, Python 3.7, Python 3.8, Python 3.9
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue41998>
_______________________________________
More information about the Python-bugs-list
mailing list