Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Uncaught exception] UnicodeDecodeError when calling to_xml with arbitrary data #106

Closed
Asteriska001 opened this issue Feb 7, 2022 · 7 comments
Closed

[Uncaught exception] UnicodeDecodeError when calling to_xml with arbitrary data #106

Asteriska001 opened this issue Feb 7, 2022 · 7 comments
Assignees
@vinitkumar
Labels
fixed

Comments

@Asteriska001
Copy link

Describe the bug
I found out that theJson2xml(data).to_xml() method can raise a UnicodeDecodeError leading to a crash of the running program.

This could be problematic if users of the library are dealing with untrusted data since this issue will lead to a DoS. This should be detected and an execption should be triggered

To Reproduce
Steps to reproduce the behavior:
image

Expected behavior
This execption should be expected.
@vinitkumar
Copy link
Owner

@Asteriska8 Thanks for raising this issue and the explanation, it would be much more helpful if you could please just paste the input data in here so that it is easier to test it. The screenshot while informative doesn't help much in using that in the code.

@Asteriska001
Copy link
Author

data = (b'!\0a\8f').decode('utf-8')

vinitkumar added a commit that referenced this issue Feb 10, 2022
@vinitkumar
fix: issue with uncaught UnicodeDecodeError
194ecbe 
Even though, there are methods to safely get the json from file, string,
or url even, there is no surely that people will not pass their own data
into the json2xml.Json2xml() contructor.

However, if the data is corrupt or mal-formed, there is a chance an
exception can be raised, brining the program to a halt.

Hence, a new error type is introduced, that protects against it and
raises InvalidDataError exception which can that be caught and logged in
a program that uses Json2xml.

- Github Issue: #106

Authored-by: Vinit Kumar <mail@vinitkumar.me>
Signed-off-by: Vinit Kumar <mail@vinitkumar.me>
@vinitkumar vinitkumar mentioned this issue Feb 10, 2022
Merged
@vinitkumar
Copy link
Owner

@Asteriska8 Fixed it just now. #107

Please check this pull request and possibly run this, and let me know if it looks good to you?

@Asteriska001
Copy link
Author

Thanks!
I has validated this fix.

@vinitkumar
Copy link
Owner

@Asteriska8 Awesome, I will merge and release later this evening.

@Asteriska001
Copy link
Author

Thanks to your nice work and the contribution to open-source community!

vinitkumar added a commit that referenced this issue Feb 10, 2022
@vinitkumar
fix: issue with uncaught UnicodeDecodeError
a9cd75b 
Even though, there are methods to safely get the json from file, string,
or url even, there is no surely that people will not pass their own data
into the json2xml.Json2xml() contructor.

However, if the data is corrupt or mal-formed, there is a chance an
exception can be raised, brining the program to a halt.

Hence, a new error type is introduced, that protects against it and
raises InvalidDataError exception which can that be caught and logged in
a program that uses Json2xml.

- Github Issue: #106

Authored-by: Vinit Kumar <mail@vinitkumar.me>
Signed-off-by: Vinit Kumar <mail@vinitkumar.me>
@vinitkumar
Copy link
Owner

@Asteriska8 Thanks for your report.

Happy to announce that the fix is released to pypi here:

pip install json2xml==3.14.0

You are welcome to upgrade to this and your issues should be resolved. I will be closing this issue. Please don't hesitate to open a new issue if you find any other problems.

@vinitkumar vinitkumar self-assigned this Feb 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vinitkumar vinitkumar

Labels
fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vinitkumar @Asteriska001