hyperledger / indy-plenum

Plenum Byzantine Fault Tolerant Protocol
https://wiki.hyperledger.org/display/indy
Apache License 2.0
215 stars 370 forks source link

Questions about vulnerabilities in Indy Plenum dependencies #1680

Open swcurran opened 1 month ago

swcurran commented 1 month ago

What is the impact of these vulnerabilities on the currently released version of Indy Plenum?

KimEbert42 commented 1 month ago

There are significant changes in the ujson library from 1.33 to a version that doesn't contain a vulnerability.

git diff --stat 4e4dc5e..5.4.0 

 104 files changed, 332889 insertions(+), 2911 deletions(-)

The ujson impacts the following files:

common/serializers/json_serializer.py:    import ujson as json
common/serializers/json_serializer.py:    from ujson import encode as uencode
plenum/test/recorder/test_recorder.py:    import ujson as json
plenum/recorder/recorder.py:    import ujson as json
scripts/test_zmq/test_zmq/zstack.py:    import ujson as json
stp_zmq/zstack.py:    import ujson as json

The calls inside of Indy Plenum to ujson include

from ujson import encode as uencode
json.loads
json.dumps

Testing possible upgrade path.

docker run -it ubuntu:20.04

mkdir tmp/test
cd tmp/test
apt update -y && apt install -y python3-pip
pip3 install ujson==1.33
python3
from ujson import encode as uencode
uencode({'xx': '123', 'aa': 90}, sort_keys=True)

# Uencode causes and exception to be thrown because 1.33 doesn't contain sort_keys, so the json library is used in the case. uencode is only used in common/serializers/json_serializer.py, so Indy Plenum does not use ujson uencode in the main branch.

quit()

pip3 install ujson==5.4.0

python3
from ujson import encode as uencode
uencode({'xx': '123', 'aa': 90}, sort_keys=True)
from ujson import loads
from ujson import dumps

It appears that the interfaces between ujson versions has been maintained, and it may simply involve upgrading the version of ujson to use a version that doesn't have the vulnerability.

It may also be possible to use the native Python json libary, as the Indy Plenum calls include falling back to the json library. This would allow us to simply drop the use of ujson if desired.

try:
    import ujson as json
except ImportError:
    import json
swcurran commented 1 month ago

Thanks. Any idea if the ujson High vulnerability issue is being used in Plenum, or is the vulnerability description insufficiently detailed to determine that?

PatStLouis commented 1 month ago

sha3 was removed from the library: https://github.com/hyperledger/indy-plenum/pull/1679

testing removal of ujson: https://github.com/hyperledger/indy-plenum/pull/1676