Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document the security of tomllib for untrusted input #111264

Open
opk12 opened this issue Oct 24, 2023 · 1 comment
Open

Document the security of tomllib for untrusted input #111264

opk12 opened this issue Oct 24, 2023 · 1 comment
Labels
docs Documentation in the Doc dir

Comments

@opk12
Copy link

opk12 commented Oct 24, 2023

Documentation

The documentation for tomllib should be explicit on whether untrusted input is safe to parse, or what features should be avoided.
@opk12 opk12 added the docs Documentation in the Doc dir label Oct 24, 2023
@hukkin
Copy link
Contributor

hukkin commented Oct 10, 2024

In PR #96499 json docs added the warning

Warning
Be cautious when parsing JSON data from untrusted sources. A malicious JSON string may cause
the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is
recommended.

as response to CVE-2020-10735 (cpython issue #95778).

The countermeasures already exist in v3.11.0 where tomllib first appears so it's not vulnerable to that particular threat at least.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
docs Documentation in the Doc dir
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hukkin @opk12