[Uncaught exception] UnicodeDecodeError when calling to_xml with arbitrary data

Question

[Uncaught exception] UnicodeDecodeError when calling to_xml with arbitrary data

Asteriska001 opened this issue 3 years ago · 7 comments

Describe the bug
I found out that theJson2xml(data).to_xml() method can raise a UnicodeDecodeError leading to a crash of the running program.

This could be problematic if users of the library are dealing with untrusted data since this issue will lead to a DoS. This should be detected and an execption should be triggered

To Reproduce
Steps to reproduce the behavior:

Expected behavior
This execption should be expected.

Answer 1 · 2022-02-10T06:04:24.000Z

@Asteriska8 Thanks for raising this issue and the explanation, it would be much more helpful if you could please just paste the input data in here so that it is easier to test it. The screenshot while informative doesn't help much in using that in the code.

Answer 2 · 2022-02-10T06:59:12.000Z

data = (b'!\0a\8f').decode('utf-8')

Answer 3 · 2022-02-10T08:29:32.000Z

@Asteriska8 Fixed it just now. #107

Please check this pull request and possibly run this, and let me know if it looks good to you?

Answer 4 · 2022-02-10T09:35:22.000Z

Thanks!
I has validated this fix.

Answer 5 · 2022-02-10T09:52:15.000Z

@Asteriska8 Awesome, I will merge and release later this evening.

Answer 6 · 2022-02-10T09:53:40.000Z

Thanks to your nice work and the contribution to open-source community!

Answer 7 · 2022-02-10T17:27:40.000Z

@Asteriska8 Thanks for your report.

Happy to announce that the fix is released to pypi here:

pip install json2xml==3.14.0

You are welcome to upgrade to this and your issues should be resolved. I will be closing this issue. Please don't hesitate to open a new issue if you find any other problems.