2

I am writing a p2p project in python which involves sending serialised data between untrusted nodes. For convenience originally I used pickle but this is insecure and now I am converting my (sometimes very complex and highly nested) class objects into JSON for transmission and storage.

My question is whether it is safe to perform the following without risk of malicious code being run:

#class initially created:

class MyClass():
 def __init__(self, cat, list_of_dogs, nested_list_of_zebras):
  self.cat = cat
  self.dogs = list_of_dogs
  self.zebras = nested_list_of_zebras

p = MyClass(cat, dog_list, zebra_list)
json_obj = jsonpickle.encode(p)

#on the receiving end (or when bringing out of storage) we do

class ReCreateMyClass():
 def __init__(self, python_obj)
  self.cat = python_obj['cat']
  self.dogs = python_obj['dogs']
  self.zebras = python_obj['zebras']

def decode_js(python_obj):
  return ReCreateMyClass(json.loads(python_obj))

# is this safe?

class_obj = decode_js(python_obj)

I am aware it is possible to automate this better (Is parsing a json naively into a Python class or struct secure?) but is there any risk of executing malicious code with JSON in this manner?

Community
  • 1
  • 1
Peter Waterland
  • 21
  • 2
  • That depends on what you do with the data after. The operation in itself should be pretty solid, but if you then trust the data blindly, that's pointless. What will happen for instance if I send an object with additional attributes? With missing attributes? With wrong values? You should validate all the data after decoding it. – spectras Nov 06 '16 at 11:41
  • The class objects are fed into functions which access their data and perform various steps including validation - if there is an error in data type or content they will except. I just do not want to allow code to run during the ReCreateMyClass() instantiation. – Peter Waterland Nov 06 '16 at 12:06
  • That's my exact point. How will those functions perform if I feed them invalid inputs? Missing inputs? Unexpected inputs? This is why you must validate the inputs once they are decoded, and before using them. – spectras Nov 06 '16 at 12:08

0 Answers0