Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Django JSON De-serialization Security

Are there any known security vulnerabilities with Django's JSON deserializer? Regarding Python deserializing protocols, the general concensus seems to be they're completely insecure, so avoid parsing untrusted data.

However, I'm considering a distributed web application where different servers exchange model records, formatted as JSON. The records themselves don't contain sensitive data, but I'm concerned about the ability for a hacked server breaching another server by sending maliciously formatted JSON. Is this possible?

I usually see Django's JSON serializer in public-facing environments, so I would hope it's hardened against this kind of thing, but I haven't been able to find any documentation addressing any security issues.

like image 830
Cerin Avatar asked Mar 07 '12 15:03

Cerin


Video Answer


1 Answers

By default when using simplejson, which is the default deserializer used by Django, the types of objects that can be converted from JSON into a Python object are limited. The only way this is not the case, is if you're doing some kind of specialized decoding utilizing the optional arguments to the loads() or load() methods or your own JSONDecoder object.

So, as long as you're using default decoding, you're pretty safe. But, if you're really concerned, you should be validating the loaded JSON data BEFORE you actually do anything with it.

like image 144
jathanism Avatar answered Oct 06 '22 03:10

jathanism