json — load

Deserialization of Untrusted Data in the json Module

The Python json module provides a way to parse and generate JSON data. However, it is important to be aware that malicious JSON strings can be used to attack applications that use the json module. For example, a malicious JSON string could be used to cause the decoder to consume considerable CPU and memory resources, which could lead to a denial-of-service attack.

Example

import json


json.loads('["foo", {"bar":["baz", null, 1.0, 2]}]')

Example Output

> precli --enable=all tests/unit/rules/python/stdlib/json/examples/json_loads.py
⚠️  Warning on line 4 in tests/unit/rules/python/stdlib/json/examples/json_loads.py
PY009: Deserialization of Untrusted Data
Potential unsafe usage of 'json.loads' that can allow instantiation of arbitrary objects.

Remediation

To avoid this vulnerability, it is important to only parse JSON data from trusted sources. If you are parsing JSON data from an untrusted source, you should first sanitize the data to remove any potential malicious code.

Default Configuration

enabled = false
level = "warning"

See also

Info

• json — JSON encoder and decoder
• CWE-502: Deserialization of Untrusted Data

New in version 0.1.0