Open swcurran opened 2 months ago
There are significant changes in the ujson library from 1.33 to a version that doesn't contain a vulnerability.
git diff --stat 4e4dc5e..5.4.0
104 files changed, 332889 insertions(+), 2911 deletions(-)
The ujson impacts the following files:
common/serializers/json_serializer.py: import ujson as json
common/serializers/json_serializer.py: from ujson import encode as uencode
plenum/test/recorder/test_recorder.py: import ujson as json
plenum/recorder/recorder.py: import ujson as json
scripts/test_zmq/test_zmq/zstack.py: import ujson as json
stp_zmq/zstack.py: import ujson as json
The calls inside of Indy Plenum to ujson include
from ujson import encode as uencode
json.loads
json.dumps
Testing possible upgrade path.
docker run -it ubuntu:20.04
mkdir tmp/test
cd tmp/test
apt update -y && apt install -y python3-pip
pip3 install ujson==1.33
python3
from ujson import encode as uencode
uencode({'xx': '123', 'aa': 90}, sort_keys=True)
# Uencode causes and exception to be thrown because 1.33 doesn't contain sort_keys, so the json library is used in the case. uencode is only used in common/serializers/json_serializer.py, so Indy Plenum does not use ujson uencode in the main branch.
quit()
pip3 install ujson==5.4.0
python3
from ujson import encode as uencode
uencode({'xx': '123', 'aa': 90}, sort_keys=True)
from ujson import loads
from ujson import dumps
It appears that the interfaces between ujson versions has been maintained, and it may simply involve upgrading the version of ujson to use a version that doesn't have the vulnerability.
It may also be possible to use the native Python json libary, as the Indy Plenum calls include falling back to the json library. This would allow us to simply drop the use of ujson if desired.
try:
import ujson as json
except ImportError:
import json
Thanks. Any idea if the ujson High vulnerability issue is being used in Plenum, or is the vulnerability description insufficiently detailed to determine that?
sha3 was removed from the library: https://github.com/hyperledger/indy-plenum/pull/1679
testing removal of ujson: https://github.com/hyperledger/indy-plenum/pull/1676
What is the impact of these vulnerabilities on the currently released version of Indy Plenum?