Login/Register
How can I execute arbitrary code via JSON and how to sanitize the input
Asked Answered
pythonjsonsecurityjsonpickle
F

1

7

In the documentation of Python's jsonpickle module for JSON serialization and deserialization it states that

Loading a JSON string from an untrusted source represents a potential security vulnerability. jsonpickle makes no attempt to sanitize the input

But I wonder how is it possible for an attacker to execute arbitrary code via JSON messages?

Also, what is the best way to sanitize the input as suggested in the documentation? JSON data in my application is not trust-worthy (it came from the clients that send JSON messages).

Fibril answered 7/8, 2016 at 7:54 Comment(1)
This article may be helpful for you: versprite.com/og/into-the-jar-jsonpickle-exploitationAfterpiece
M
2

jsonpickle is not JSON. jsonpickle allows to create arbitrary Python-Objects that potentially do harmful things. Sanitizing means, that the JSON objects only contain data, that can be interpreted by jsonpickle. Normally wrong data would lead to exceptions, but can may be used to trigger unwanted behavior.

The __reduce__ exploit (see, for example Into The Jar | Exploitation of jsonpickle)

jsonpickle.decode('{"py/object": "list", "py/reduce":[{"py/type": "subprocess.Popen"}, ["ls"], null, null, null]}')

is only one direct way to execute any command. More subtle ways depend on your actual code.

So the short answer is, not to use jsonpickle in an untrusted environment. Use normal JSON and check the input before using it.

Martyr answered 7/8, 2016 at 8:14 Comment(1)
"jsonpickle allows to create arbitrary Python-Objects that potentially do harmful things" -- how is it possible? Suppose that I use jsonpickle.decode to deserialize incoming JSON data. What can an attacker put in this JSON data to execute arbitrary code?Fibril

© 2022 - 2024 — McMap. All rights reserved.