Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Callback for root nodes shouldn't return a list #9

Closed
jonblack opened this issue Dec 7, 2014 · 0 comments
Closed

Callback for root nodes shouldn't return a list #9

jonblack opened this issue Dec 7, 2014 · 0 comments
Milestone
2.2.0-alpha

Comments

@jonblack
Copy link

jonblack commented Dec 7, 2014

Root nodes in the tree are expected to be returned as a list. The Flask framework's implementation of json (jsonify) treats top-level lists as a security risk:

The problem are arrays at top-level in JSON. [...] An attacker can use this (like above) to get all the data you exported in your JSON file.

There is more information about a workaround in this issue:

I appreciate that top-level array elements are not allowed to be created in Flask's jsonify() implementation (http://flask.pocoo.org/docs/0.10/security/#json-security). Also, there are for sure straight-forward strategies for solving this in application code, for example by wrapping the list in a dictionary: jsonify({"items": collection}).
@gilek gilek added this to the 2.2.0-alpha milestone Dec 8, 2014
@gilek gilek closed this as completed in 05c8b7a Jan 18, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.2.0-alpha
Development

No branches or pull requests
2 participants
@jonblack @gilek