search

hyperledger / indy-plenum

Plenum Byzantine Fault Tolerant Protocol
https://wiki.hyperledger.org/display/indy
Apache License 2.0
215 stars 370 forks source link

Mitigating security issues of jsonpickle #1672

Open kukgini opened 3 months ago

kukgini commented 3 months ago

A security guy told me about indy-node vulnerabilities. It's about jsonpickle security issue. And it is classified as critical. https://github.com/advisories/GHSA-j66q-qmrc-89rx

However the jsonpickle team defended that it is intended. And they suggested that to be sure to be safe, user of this library should set safe=True in calling jsonpickle.decode() https://github.com/jsonpickle/jsonpickle/issues/335

It appears that in indy-plenum, jsonpickle.decode() is called without safe parameter. Wouldn't it be better to add it?

PatStLouis commented 3 weeks ago

@kukgini plenum uses jsonpickle version 3.0.3 which isn't vulnerable. The NVD states that the vulnerability only affects version 1.4.1 and below.