From 81b0b849bd7329c7fef2f6a9491aeae279d7b6e5 Mon Sep 17 00:00:00 2001 From: Miguel Grinberg Date: Thu, 15 Apr 2021 12:03:24 +0100 Subject: [PATCH] Configure the JSON decoder for safer parsing --- setup.py | 2 +- socketio/asyncio_pubsub_manager.py | 2 +- socketio/packet.py | 4 +++- socketio/pubsub_manager.py | 2 +- tests/asyncio/test_asyncio_server.py | 2 +- tests/common/test_client.py | 2 +- tests/common/test_packet.py | 5 +++++ tests/common/test_server.py | 2 +- 8 files changed, 14 insertions(+), 7 deletions(-) diff --git a/setup.py b/setup.py index a854293..edf03c4 100755 --- a/setup.py +++ b/setup.py @@ -30,7 +30,7 @@ setup( platforms='any', install_requires=[ 'bidict>=0.21.0', - 'python-engineio>=4', + 'python-engineio>=4.1.0', ], extras_require={ 'client': [ diff --git a/socketio/asyncio_pubsub_manager.py b/socketio/asyncio_pubsub_manager.py index cabd41e..54e2436 100644 --- a/socketio/asyncio_pubsub_manager.py +++ b/socketio/asyncio_pubsub_manager.py @@ -1,7 +1,7 @@ from functools import partial import uuid -import json +from engineio import json import pickle from .asyncio_manager import AsyncManager diff --git a/socketio/packet.py b/socketio/packet.py index f4434df..2d43779 100644 --- a/socketio/packet.py +++ b/socketio/packet.py @@ -1,5 +1,5 @@ import functools -import json as _json +from engineio import json as _json (CONNECT, DISCONNECT, EVENT, ACK, CONNECT_ERROR, BINARY_EVENT, BINARY_ACK) = \ (0, 1, 2, 3, 4, 5, 6) @@ -79,6 +79,8 @@ class Packet(object): self.data = None ep = ep[1:] dash = ep.find('-') + if dash > 10: + raise ValueError('too many attachments') attachment_count = 0 if dash > 0 and ep[0:dash].isdigit(): attachment_count = int(ep[0:dash]) diff --git a/socketio/pubsub_manager.py b/socketio/pubsub_manager.py index ff3304c..97cdf1e 100644 --- a/socketio/pubsub_manager.py +++ b/socketio/pubsub_manager.py @@ -1,7 +1,7 @@ from functools import partial import uuid -import json +from engineio import json import pickle from .base_manager import BaseManager diff --git a/tests/asyncio/test_asyncio_server.py b/tests/asyncio/test_asyncio_server.py index 911cb3b..a6c2667 100644 --- a/tests/asyncio/test_asyncio_server.py +++ b/tests/asyncio/test_asyncio_server.py @@ -1,10 +1,10 @@ import asyncio -import json import logging import sys import unittest from unittest import mock +from engineio import json import pytest from socketio import asyncio_server diff --git a/tests/common/test_client.py b/tests/common/test_client.py index e04f0cc..2f85e6c 100644 --- a/tests/common/test_client.py +++ b/tests/common/test_client.py @@ -1,10 +1,10 @@ -import json import logging import sys import unittest from unittest import mock from engineio import exceptions as engineio_exceptions +from engineio import json from engineio import packet as engineio_packet import pytest diff --git a/tests/common/test_packet.py b/tests/common/test_packet.py index 65b3377..cc6725f 100644 --- a/tests/common/test_packet.py +++ b/tests/common/test_packet.py @@ -165,6 +165,7 @@ class TestPacket(unittest.TestCase): def test_decode_id_too_long(self): with pytest.raises(ValueError): packet.Packet(encoded_packet='2' + '1' * 101) + with pytest.raises(ValueError): packet.Packet(encoded_packet='2' + '1' * 101 + '["foo"]') def test_encode_id_no_data(self): @@ -258,6 +259,10 @@ class TestPacket(unittest.TestCase): with pytest.raises(ValueError): pkt.add_attachment(b'123') + def test_decode_attachment_count_too_long(self): + with pytest.raises(ValueError): + packet.Packet(encoded_packet='6' + ('1' * 11) + '-{"a":"123}') + def test_data_is_binary_list(self): pkt = packet.Packet() assert not pkt._data_is_binary(['foo']) diff --git a/tests/common/test_server.py b/tests/common/test_server.py index 05eefff..556dab7 100644 --- a/tests/common/test_server.py +++ b/tests/common/test_server.py @@ -1,8 +1,8 @@ -import json import logging import unittest from unittest import mock +from engineio import json import pytest from socketio import exceptions