The Python jsonpickle module documentation for serializing and deserializing JSON says that
Downloading a JSON string from an untrusted source is a potential security vulnerability. jsonpickle is not trying to misinform the entry
But I am wondering how an attacker can execute arbitrary code through JSON messages?
Also, what is the best way to disinfect input, as suggested in the documentation? The JSON data in my application is not trustworthy (it came from clients sending JSON messages).
jsonpickle JSON. jsonpickle Python, . Sanitizing , JSON , jsonpickle. , .
jsonpickle
__reduce__ (., , | jsonpickle)
__reduce__
jsonpickle.decode('{"py/object": "list", "py/reduce":[{"py/type": "subprocess.Popen"}, ["ls"], null, null, null]}')
- . .
, jsonpickle . JSON .
Source: https://habr.com/ru/post/1650445/More articles:ΠΠΎΠ³Ρ Π»ΠΈ Ρ ΠΊΠ°ΠΊΠΈΠΌ-ΡΠΎ ΠΎΠ±ΡΠ°Π·ΠΎΠΌ ΠΈΠ·Π±Π΅ΠΆΠ°ΡΡ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΡ time.sleep() Π² ΡΡΠΎΠΌ script? - pythonΠΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»ΡΡΠΊΠΎΠ΅ Π΄ΠΎΠΌΠ΅Π½Π½ΠΎΠ΅ ΠΈΠΌΡ Firebase - firebaseRibbonDropDownItem Π΄Π»Ρ ΠΏΡΠΎΡΠ»ΡΡΠΈΠ²Π°Π½ΠΈΡ ΠΊΠ»ΠΈΠΊΠΎΠ² - c#The query works first but doesn't find - javascriptXcode 8 beta 4: "Could not connect to pid: 1110" when working on a physical device - xcodeThere are two group functions that differ in only one line of code - c ++UIRotationGestureRecognizer activates several times Swift - iosWhat role does the Arrays.copyOf array play in making the class immutable? - javaHow to throw an exception when an integer overflows? - javaDebugging Visual Studio Python - pythonAll Articles