7/15/2023 0 Comments Decode json string pythonGet hostname, domain, and protocol from a URL Get the filename and the file extension from a URL Remove all non-alphanumeric characters from a stringĬonvert a character to a code point and vice versa Remove one or many substrings from a string The modern Python regular expressions cheat sheetĬapitalize the first letter of each word in a stringĬompare 2 strings ignoring case sensitivity Generating a random float between min and maxįormat large numbers with comma separators Generate a random integer between min and max If you claim to accept JSON matching a schema, you should accept all JSON matching that schema, otherwise you aren't accepting JSON.Check if a string can be converted to a number To be clear, "as strictly as you can" means respecting the protocol/file format. See A Patch for Postel's Robustness Principle.) I recommend the LangSec site generally for more discussion of these matters. (If this seems to conflict with Postel's Principle, often sloganized as "Be conservative in what you do, and liberal in what you accept from others", that's because it is commonly misunderstood and the misunderstood form is terrible advice. Generally speaking, you want to parse into a structured representation as soon as you can and as strictly as you can. I assume that isn't the case, because otherwise you'd have no reason to expect it to be JSON at all. If the string is truly an opaque blob with respect to your code as well as to any 3rd party services you pass it to, then you shouldn't be touching it at all. In general, anything you can do to reduce the number of representations for the same value is a good thing for correctness, ease of testing, and security. If the input to that JSON parser is only ever the output of json.dumps, then you only need to consider the output json.dumps can produce, and not all possible legal JSON strings. For example, let's say the JSON parser used elsewhere in your code does have some vulnerability when exposed to legal but carefully formatted JSON. json.dumps) so that you know the JSON is in a consistent, well-behaved format. If you still want to pass it around as a string though, it would be better to reserialize (i.e. You can convert it to a string when you need it as a string. (Ideally, you would also check the JSON against a schema.) Even better, would be to parse into a JSON object and then pass that around rather than a string. This code will then ensure that you are passing valid JSON to those deeper parts of the code. However, to that end, this code is likely slightly better than passing the string through untouched assuming some other part of your system processes it as JSON. This is usually security relevant when one of those pieces of code is doing some kind of security check. While it doesn't seem relevant here, you can sometimes have security issues where different pieces of code interpret the same input in different ways. I didn't find any CVEs related to json.loads.Īs a potental denial-of-service vector, I haven't looked at the code, but there's no real reason to expect it to be super-linear in either time or space with respect to the length of the string input. This Stack Overflow answer goes into detail for the actual implementation at that time. Short of bugs in the implementation or monkey-patching, there's no reason it would or should allow executing of anything other than the JSON parsing code.
0 Comments
Leave a Reply. |