Menu
Are there any known security vulnerabilities with Django's JSON deserializer? Regarding Python deserializing protocols, the general concensus seems to be they're completely insecure, so avoid parsing untrusted data.
However, I'm considering a distributed web application where different servers exchange model records, formatted as JSON. The records themselves don't contain sensitive data, but I'm concerned about the ability for a hacked server breaching another server by sending maliciously formatted JSON. Is this possible?
I usually see Django's JSON serializer in public-facing environments, so I would hope it's hardened against this kind of thing, but I haven't been able to find any documentation addressing any security issues.
830
By default when using simplejson, which is the default deserializer used by Django, the types of objects that can be converted from JSON into a Python object are limited. The only way this is not the case, is if you're doing some kind of specialized decoding utilizing the optional arguments to the loads() or load() methods or your own JSONDecoder object.
So, as long as you're using default decoding, you're pretty safe. But, if you're really concerned, you should be validating the loaded JSON data BEFORE you actually do anything with it.
144
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
