Configure the JSON decoder for safer parsing

miguelgrinberg · miguelgrinberg · commit 81b0b849bd73 · 2021-04-15T12:04:38.000+01:00
diff --git a/setup.py b/setup.py
@@ -30,7 +30,7 @@
     platforms='any',
     install_requires=[
         'bidict>=0.21.0',
-        'python-engineio>=4',
+        'python-engineio>=4.1.0',
     ],
     extras_require={
         'client': [
diff --git a/socketio/asyncio_pubsub_manager.py b/socketio/asyncio_pubsub_manager.py
@@ -1,7 +1,7 @@
 from functools import partial
 import uuid
 
-import json
+from engineio import json
 import pickle
 
 from .asyncio_manager import AsyncManager
diff --git a/socketio/packet.py b/socketio/packet.py
@@ -1,5 +1,5 @@
 import functools
-import json as _json
+from engineio import json as _json
 
 (CONNECT, DISCONNECT, EVENT, ACK, CONNECT_ERROR, BINARY_EVENT, BINARY_ACK) = \
     (0, 1, 2, 3, 4, 5, 6)
@@ -79,6 +79,8 @@ def decode(self, encoded_packet):
         self.data = None
         ep = ep[1:]
         dash = ep.find('-')
+        if dash > 10:
+            raise ValueError('too many attachments')
         attachment_count = 0
         if dash > 0 and ep[0:dash].isdigit():
             attachment_count = int(ep[0:dash])
diff --git a/socketio/pubsub_manager.py b/socketio/pubsub_manager.py
@@ -1,7 +1,7 @@
 from functools import partial
 import uuid
 
-import json
+from engineio import json
 import pickle
 
 from .base_manager import BaseManager
diff --git a/tests/asyncio/test_asyncio_server.py b/tests/asyncio/test_asyncio_server.py
@@ -1,10 +1,10 @@
 import asyncio
-import json
 import logging
 import sys
 import unittest
 from unittest import mock
 
+from engineio import json
 import pytest
 
 from socketio import asyncio_server
diff --git a/tests/common/test_client.py b/tests/common/test_client.py
@@ -1,10 +1,10 @@
-import json
 import logging
 import sys
 import unittest
 from unittest import mock
 
 from engineio import exceptions as engineio_exceptions
+from engineio import json
 from engineio import packet as engineio_packet
 import pytest
 
diff --git a/tests/common/test_packet.py b/tests/common/test_packet.py
@@ -165,6 +165,7 @@ def test_decode_id_long(self):
     def test_decode_id_too_long(self):
         with pytest.raises(ValueError):
             packet.Packet(encoded_packet='2' + '1' * 101)
+        with pytest.raises(ValueError):
             packet.Packet(encoded_packet='2' + '1' * 101 + '["foo"]')
 
     def test_encode_id_no_data(self):
@@ -258,6 +259,10 @@ def test_decode_too_many_binary_packets(self):
         with pytest.raises(ValueError):
             pkt.add_attachment(b'123')
 
+    def test_decode_attachment_count_too_long(self):
+        with pytest.raises(ValueError):
+            packet.Packet(encoded_packet='6' + ('1' * 11) + '-{"a":"123}')
+
     def test_data_is_binary_list(self):
         pkt = packet.Packet()
         assert not pkt._data_is_binary(['foo'])
diff --git a/tests/common/test_server.py b/tests/common/test_server.py
@@ -1,8 +1,8 @@
-import json
 import logging
 import unittest
 from unittest import mock
 
+from engineio import json
 import pytest
 
 from socketio import exceptions
