pyjson5 icon indicating copy to clipboard operation
pyjson5 copied to clipboard
verified publisher icon dpranke

Mishandling of special characters leads to keyword collisions and variable overrides

Open P3ngu1nW opened this issue 2 years ago • 3 comments

env

python 3.9

details

When the keyword inside the json string contains illegal escape characters (such as \m in '{"na\\me": "test"}'), json5.loads will remove \ and the result will be {"name": "test"}. This problem does not exist when the keyword inside the json string contains a legal escape character. For example, json5.loads('{"tes\\t": "1"}') results in {"tes\t ": "1"} In python's built-in function JSON, on the other hand, will not allow the existence of illegal escape characters and report errors This problem can lead to a number of security issues such as keyword collisions and variable overrides. For example, when I read '{"name": "1", "na\\me": "2 "}', json5.loads results in {"name": "2"}, which is dangerous.

P3ngu1nW avatar Oct 23 '23 07:10 P3ngu1nW

Yikes, good catch. I'll try to get a fix for this ASAP.

dpranke avatar Oct 23 '23 16:10 dpranke

Thanks for your early reply!

So could you assign me a CVE number?

P3ngu1nW avatar Oct 24 '23 12:10 P3ngu1nW

That's a good question. I know nothing about the CVE process, but I'll look into it. I'm not seeing how this bug could be used as an attack; is there something you have in mind?

dpranke avatar Oct 26 '23 23:10 dpranke

In looking at this further (and in looking at #70), I've realized that this isn't actually a bug. JSON5, following Javascript, is specified to pass unrecognized escape characters through. So, '\m' is treated the same as 'm'. Regular JSON does not allow this.

So, I'm closing this as not a bug. Please comment if you have any thoughts or questions on this.

dpranke avatar Feb 20 '24 01:02 dpranke