Menu
I'm maintaining a production Django 1.5 application.
Recently there was a lot of noise about various vulnerabilities related to the loading of JSON, XML and YAML objects. If I understand correctly, input was carefully crafted to exploit bugs in the loading functions.
Now, I have no idea where Django (or the dozens of third-party apps that we use) use each of these protocols. How can I be safe from such vulnerabilities? Do I need to make sure in some way that Django is loading JSON, XML and YAML safely?
675
Django doesn't accept user encoded input in these formats by default and in general third-party apps won't either, but it's worth auditing the parts that are user-facing to be sure. The big ones are going to be API providers (Tastypie, Django REST Framework, etc.). If you're on current versions you should be safe, but it's worth testing/confirming.
If you are loading anything in your app from these formats, be sure to use defusedxml and YAMLs safe_load method. The standard library json module should be safe from these sorts of exploits.
135
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
