Deserialization of Untrusted Data in the json Module

PY009

deserialization_of_untrusted_data

CWE-502

⚠️ Warning

---

The Python json module provides a way to parse and generate JSON data. However, it is important to be aware that malicious JSON strings can be used to attack applications that use the json module. For example, a malicious JSON string could be used to cause the decoder to consume considerable CPU and memory resources, which could lead to a denial-of-service attack.

Example

import json


json.loads('["foo", {"bar":["baz", null, 1.0, 2]}]')

Remediation

To avoid this vulnerability, it is important to only parse JSON data from trusted sources. If you are parsing JSON data from an untrusted source, you should first sanitize the data to remove any potential malicious code.

False Positives

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY009) or rule category name (deserialization_of_untrusted_data).

Using rule ID

fix

import json


# suppress: PY009
json.loads('["foo", {"bar":["baz", null, 1.0, 2]}]')

Using category name

fix

import json


# suppress: deserialization_of_untrusted_data
json.loads('["foo", {"bar":["baz", null, 1.0, 2]}]')

See also

info

• json — JSON encoder and decoder
• CWE-502: Deserialization of Untrusted Data