天真地将json解析为Python类或结构安全吗? [英] Is parsing a json naively into a Python class or struct secure?
问题描述
首先要有一些背景知识:我有一些相当简单的数据结构,这些数据结构作为json文件保存在磁盘上.这些json文件在不同语言和不同环境(例如Web前端和数据处理工具)的应用程序之间共享.
Some background first: I have a few rather simple data structures which are persisted as json files on disk. These json files are shared between applications of different languages and different environments (like web frontend and data manipulation tools).
对于每个文件,我想创建一个Python"POPO"(普通的旧Python对象),并且每个项目的对应数据映射器类应实现一些简单的CRUD行为(例如,save将对该类进行序列化并存储为磁盘上的json文件).
For each of the files I want to create a Python "POPO" (Plain Old Python Object), and a corresponding data mapper class for each item should implement some simple CRUD like behavior (e.g. save will serialize the class and store as json file on disk).
我认为一个简单的映射器(只知道基本类型)将起作用.但是,我担心安全性.某些json文件将由网络前端生成,因此如果用户向我提供一些错误的json,则可能存在安全风险.
I think a simple mapper (which only knows about basic types) will work. However, I'm concerned about security. Some of the json files will be generated by a web frontend, so a possible security risk if a user feeds me some bad json.
Finally, here is the simple mapping code (found at How to convert JSON data into a Python object):
class User(object):
def __init__(self, name, username):
self.name = name
self.username = username
import json
j = json.loads(your_json)
u = User(**j)
您看到哪些可能的安全问题?
What possible security issues do you see?
NB:我是Python的新手.
NB: I'm new to Python.
谢谢您的评论.我发现我有一个json,其中有2个数组,每个数组都有一个映射.不幸的是,当我得到更多这些东西时,它开始显得笨拙.
Thanks all for your comments. I've found out that I have one json where I have 2 arrays, each having a map. Unfortunately this starts to look like it gets cumbersome when I get more of these.
我将问题扩展到将json输入映射到记录类型.原始代码来自此处: https://stackoverflow.com/a/15882054/1708349 . 由于我需要可变对象,因此我将其更改为使用命名列表而不是namedtuple:
I'm extending the question to mapping a json input to a recordtype. The original code is from here: https://stackoverflow.com/a/15882054/1708349. Since I need mutable objects, I'd change it to use a namedlist instead of a namedtuple:
import json
from namedlist import namedlist
data = '{"name": "John Smith", "hometown": {"name": "New York", "id": 123}}'
# Parse JSON into an object with attributes corresponding to dict keys.
x = json.loads(data, object_hook=lambda d: namedlist('X', d.keys())(*d.values()))
print x.name, x.hometown.name, x.hometown.id
它仍然安全吗?
推荐答案
在第一种情况下不会发生太多错误.您正在限制可以提供的参数,并且从JSON加载后就可以轻松添加验证/转换.
There's not much wrong that can happen in the first case. You're limiting what arguments can be provided and it's easy to add validation/conversion right after loading from JSON.
第二个例子更糟.像这样将内容打包到记录中对您毫无帮助.您不会继承任何方法,因为您定义的每种类型都是新的.您无法轻松比较值,因为字典没有排序.您不知道是否处理了所有参数,或者是否有一些额外的数据,这些数据以后可能会导致隐藏的问题.
The second example is a bit worse. Packing things into records like this will not help you in any way. You don't inherit any methods, because each type you define is new. You can't compare values easily, because dicts are not ordered. You don't know if you have all arguments handled, or if there is some extra data, which can lead to hidden problems later.
因此,总而言之:使用User(**data),您非常安全.使用namedlist时,存在歧义的空间,您实际上并不会获得任何收益. (相比于裸露的,已解析的json)
So in summary: with User(**data), you're pretty safe. With namedlist there's space for ambiguity and you don't really gain anything. (compared to bare, parsed json)
这篇关于天真地将json解析为Python类或结构安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
