Implement recommended fixes from OSTIF audit by etrepum · Pull Request #313 · simplejson/simplejson

etrepum · 2023-04-04T18:01:04Z

Implement security hardening measures based on a source code audit of simplejson 3.18.4 by X41 D-Sec GmbH and sponsored by the OSTIF.

Fix invalid handling of unicode escape sequences in the pure Python
implementation of the decoder (SJ-PT-23-01)
Fix missing reference count decrease if PyOS_string_to_double raises
an exception in Python 2.x; was probably unreachable (SJ-PT-23-02)
Backport the integer string length limitation from Python 3.11 to
limit quadratic number parsing (SJ-PT-23-03)
Fix inconsistencies with error messages between the C and Python
implementations (SJ-PT-23-100)
Remove unused unichr import from encoder (SJ-PT-23-101)
Remove unused namedtuple_as_object and tuple_as_array arguments from
simplejson.load (SJ-PT-23-102)
Remove vestigial _one_shot code from iterencode (SJ-PT-23-103)
Change default of allow_nan from True to False and add allow_nan
to decoder (SJ-PT-23-107)

Several suggested improvements were not implemented in this release and will be considered in the future:

SJ-PT-23-104: Type Hints Not Used - Implementing type hints with annotations is not possible for as long as Python 2 is supported. Using stub files or revisiting this in the future when Python 2 support is removed will be considered in a later release.
SJ-PT-23-105: Deprecated Python Versions Supported - Without a way to get usage metrics, it's hard to say how many people are still using recent versions of simplejson and Python 2, so I would prefer to maintain support for a while longer.
SJ-PT-23-108: Support of Duplicate Key Names - I haven't had a lot of requests to provide this feature, and anyone looking to do this can implement it with object_pairs_hook. The default behavior of "last key wins" is consistent with JavaScript's JSON implementation.
SJ-PT-23-106: Unsigned Git Commits - PR merges were already verified since I update them with the GitHub UX but I will also start signing my commits with an SSH key. I have also enabled a tag protection rule for *. I did not enable a branch protection rule to require all commits to be signed since that would prevent accepting third party contributions without first rebasing myself.

The full public report is available here: https://www.x41-dsec.de/static/reports/X41-OSTIF-simplejson-CodeRview-2023-04-18.pdf
See also:

…on decoder

…atic parsing

…hon implementations

* Remove unused namedtuple_as_object and tuple_as_array arguments from simplejson.load (SJ-PT-23-102) * Remove vestigial _one_shot code from iterencode (SJ-PT-23-103) * Change default of allow_nan from True to False and add allow_nan to decoder (SJ-PT-23-107)

Version 3.19.1 released 2023-04-06 * This release contains security hardening measures based on recommendations by a security audit sponsored by OSTIF and conducted by X41 D-Sec GmbH. Several of these measures include changing defaults to be more strict, by default simplejson will now only consume and produce compliant JSON, but the flags still exist for any backwards compatibility needs. No high priority issues were discovered, the reference count leak is thought to be unreachable since the digits of the float are checked before PyOS_string_to_double is called. A link to the public version of this report will be included in a future release of simplejson. The following fixes were implemented in one PR: simplejson/simplejson#313 * Fix invalid handling of unicode escape sequences in the pure Python implementation of the decoder (SJ-PT-23-01) * Fix missing reference count decrease if PyOS_string_to_double raises an exception in Python 2.x; was probably unreachable (SJ-PT-23-02) * Backport the integer string length limitation from Python 3.11 to limit quadratic number parsing (SJ-PT-23-03) * Fix inconsistencies with error messages between the C and Python implementations (SJ-PT-23-100) * Remove unused unichr import from encoder (SJ-PT-23-101) * Remove unused namedtuple_as_object and tuple_as_array arguments from simplejson.load (SJ-PT-23-102) * Remove vestigial _one_shot code from iterencode (SJ-PT-23-103) * Change default of allow_nan from True to False and add allow_nan to decoder (SJ-PT-23-107)

Changelog: ============ * This release contains security hardening measures based on recommendations by a security audit sponsored by OSTIF and conducted by X41 D-Sec GmbH. Several of these measures include changing defaults to be more strict, by default simplejson will now only consume and produce compliant JSON, but the flags still exist for any backwards compatibility needs. No high priority issues were discovered, the reference count leak is thought to be unreachable since the digits of the float are checked before PyOS_string_to_double is called. A link to the public version of this report will be included in a future release of simplejson. The following fixes were implemented in one PR: simplejson/simplejson#313 * Fix invalid handling of unicode escape sequences in the pure Python implementation of the decoder (SJ-PT-23-01) * Fix missing reference count decrease if PyOS_string_to_double raises an exception in Python 2.x; was probably unreachable (SJ-PT-23-02) * Backport the integer string length limitation from Python 3.11 to limit quadratic number parsing (SJ-PT-23-03) * Fix inconsistencies with error messages between the C and Python implementations (SJ-PT-23-100) * Remove unused unichr import from encoder (SJ-PT-23-101) * Remove unused namedtuple_as_object and tuple_as_array arguments from simplejson.load (SJ-PT-23-102) * Remove vestigial _one_shot code from iterencode (SJ-PT-23-103) * Change default of allow_nan from True to False and add allow_nan to decoder (SJ-PT-23-107) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>

Version 3.19.1 released 2023-04-06 * This release contains security hardening measures based on recommendations by a security audit sponsored by OSTIF and conducted by X41 D-Sec GmbH. Several of these measures include changing defaults to be more strict, by default simplejson will now only consume and produce compliant JSON, but the flags still exist for any backwards compatibility needs. No high priority issues were discovered, the reference count leak is thought to be unreachable since the digits of the float are checked before PyOS_string_to_double is called. A link to the public version of this report will be included in a future release of simplejson. The following fixes were implemented in one PR: simplejson/simplejson#313 * Fix invalid handling of unicode escape sequences in the pure Python implementation of the decoder (SJ-PT-23-01) * Fix missing reference count decrease if PyOS_string_to_double raises an exception in Python 2.x; was probably unreachable (SJ-PT-23-02) * Backport the integer string length limitation from Python 3.11 to limit quadratic number parsing (SJ-PT-23-03) * Fix inconsistencies with error messages between the C and Python implementations (SJ-PT-23-100) * Remove unused unichr import from encoder (SJ-PT-23-101) * Remove unused namedtuple_as_object and tuple_as_array arguments from simplejson.load (SJ-PT-23-102) * Remove vestigial _one_shot code from iterencode (SJ-PT-23-103) * Change default of allow_nan from True to False and add allow_nan to decoder (SJ-PT-23-107)

etrepum added 7 commits April 4, 2023 09:59

SJ-PT-23-01: Fix invalid handling of unicode escape sequences in Pyth…

7c2ccb7

…on decoder

SJ-PT-23-02: Fix missing reference count decrease

1e495c1

SJ-PT-23-03: Backport integer string length limitation to limit quadr…

59dac4e

…atic parsing

SJ-PT-23-100: Fix inconsistencies in error messages between C and Pyt…

dbd0aa3

…hon implementations

SJ-PT-23-101: Remove unused unichr import from encoder

440a5e4

Update CHANGES.txt

ec4a3d5

etrepum enabled auto-merge April 6, 2023 16:53

etrepum merged commit 1a4995d into master Apr 6, 2023

This was referenced Apr 8, 2023

Update dependency simplejson to v3.19.1 projectnessie/nessie#6541

Merged

chore(deps) Update all non-major dependencies atlas-bi/atlas-bi-library-py#213

Open

This was referenced May 31, 2023

chore(deps): update dependency simplejson to v3.20.2 ngshiheng/burplist-frontend#71

Open

Update dependency simplejson to v3.19.1 OpenCTI-Platform/connectors#1175

Merged

Update all non-major dependencies fedora-infra/fasjson-client#360

Merged

renovate Bot mentioned this pull request Jul 8, 2023

Update dependency simplejson to v3.19.1 internetarchive/openlibrary#8055

Merged

1 task

winterbot mentioned this pull request Aug 14, 2023

Update dependency simplejson to v3.19.1 winterlightlabs/bucket-antivirus-function#15

Merged

1 task

renovate Bot mentioned this pull request Aug 19, 2023

Update dependency simplejson to v3.19.2 saifalisew1508/MissCutie#123

Closed

1 task

renovate Bot mentioned this pull request Aug 31, 2023

Update dependency simplejson to v3.19.1 0x49b/krafti#26

Merged

1 task

renovate Bot mentioned this pull request Oct 23, 2023

chore(deps): update dependency simplejson to v3.19.2 - autoclosed mmehta-10/kubernetes-ops#96

Closed

1 task

renovate Bot mentioned this pull request Jun 19, 2024

Update dependency simplejson to v3.19.2 Hanra-s-work/point_one_robot_car#148

Merged

1 task

etrepum deleted the audit-fixes branch April 12, 2026 20:31

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Implement recommended fixes from OSTIF audit#313

Implement recommended fixes from OSTIF audit#313
etrepum merged 7 commits into
masterfrom
audit-fixes

etrepum commented Apr 4, 2023 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

etrepum commented Apr 4, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

etrepum commented Apr 4, 2023 •

edited

Loading