Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fix/various fixes #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Oct 4, 2025
Merged

Fix/various fixes #43

merged 11 commits into from
Oct 4, 2025

Conversation

@lchoquel
Copy link
Member

@lchoquel lchoquel commented Jul 13, 2025
edited
Loading

πŸš€ New Features

πŸ“ Changes

πŸ”’ Security

  • Documentation: Added security considerations section to README regarding deserializing untrusted JSON data

@lchoquel lchoquel marked this pull request as ready for review July 13, 2025 11:53
This was referenced Jul 13, 2025
Open
Open
Open
@lchoquel lchoquel mentioned this pull request Jul 15, 2025
Open
bpietropaoli
bpietropaoli approved these changes Jul 15, 2025
View reviewed changes
Copy link

@bpietropaoli bpietropaoli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't looked at the .github modifications since it's your repo and you manage it however you want.

As for the issues mentioned, there are solved. Good work. :)

README.md
Comment on lines +187 to +197
## ⚠️ Security Considerations

**Warning**: Instantiating classes using `__class__` and `__module__` attributes poses a security threat when deserializing untrusted JSON data. Malicious JSON could potentially instantiate arbitrary classes and execute code.

Only use Kajson to deserialize JSON from trusted sources. For untrusted data, consider:
- Validating JSON structure before deserialization
- Using a whitelist of allowed classes
- Sanitizing input data

For more discussion on this topic, see [this discussion thread](https://github.com/Pipelex/kajson/discussions/44).

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A necessary addition for sure, informing potentially careless users is always a good idea. :)

kajson/json_encoder.py
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good, cleaning unused code is just good practice for maintainability.

kajson/json_encoder.py
Comment on lines +216 to +220
# Expressions used to find module names (compiled once at import time):
__class_expression = re.compile(r"^<class '([a-zA-Z0-9._]*)'>")
__type_expression = re.compile(r"^<type '([a-zA-Z0-9._]*)'>")


Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Definitely in its right place now. ;)

docs/pages/api/manager.md
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would have added docstrings in the code itself so tools like Intellisense in VSCode can give you the doc on the fly too but at least it's documented. :)

@lchoquel lchoquel merged commit 7b32a38 into dev Oct 4, 2025
16 checks passed
@github-actions github-actions bot locked and limited conversation to collaborators Oct 4, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@bpietropaoli bpietropaoli bpietropaoli approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lchoquel @bpietropaoli