Improved security

Author: horejsek

CHANGELOG.txt

@@ -2,6 +2,7 @@
 
 * Fix overriding variables (in pattern properties, property names, unique items and contains)
 * Fix string in const
+* Improve security: not generating code from any definition
 
 
 === 2.3 (2018-09-14) ===

fastjsonschema/draft04.py

@@ -1,5 +1,6 @@
 import re
 
+from .exceptions import JsonSchemaDefinitionException
 from .generator import CodeGenerator, enforce_list
 
 
@@ -65,7 +66,10 @@ def generate_type(self):
             {'type': ['string', 'number']}
         """
         types = enforce_list(self._definition['type'])
-        python_types = ', '.join(JSON_TYPE_TO_PYTHON_TYPE.get(t) for t in types)
+        try:
+            python_types = ', '.join(JSON_TYPE_TO_PYTHON_TYPE[t] for t in types)
+        except KeyError as exc:
+            raise JsonSchemaDefinitionException('Unknown type: {}'.format(exc))
 
         extra = ''
         if ('number' in types or 'integer' in types) and 'boolean' not in types:
@@ -84,6 +88,8 @@ def generate_enum(self):
                 'enum': ['a', 'b'],
             }
         """
+        if not isinstance(self._definition['enum'], (list, tuple)):
+            raise JsonSchemaDefinitionException('enum must be an array')
         with self.l('if {variable} not in {enum}:'):
             self.l('raise JsonSchemaException("{name} must be one of {enum}")')
 
@@ -192,20 +198,25 @@ def generate_not(self):
     def generate_min_length(self):
         with self.l('if isinstance({variable}, str):'):
             self.create_variable_with_length()
+            if not isinstance(self._definition['minLength'], int):
+                raise JsonSchemaDefinitionException('minLength must be a number')
             with self.l('if {variable}_len < {minLength}:'):
                 self.l('raise JsonSchemaException("{name} must be longer than or equal to {minLength} characters")')
 
     def generate_max_length(self):
         with self.l('if isinstance({variable}, str):'):
             self.create_variable_with_length()
+            if not isinstance(self._definition['maxLength'], int):
+                raise JsonSchemaDefinitionException('maxLength must be a number')
             with self.l('if {variable}_len > {maxLength}:'):
                 self.l('raise JsonSchemaException("{name} must be shorter than or equal to {maxLength} characters")')
 
     def generate_pattern(self):
         with self.l('if isinstance({variable}, str):'):
-            self._compile_regexps['{}'.format(self._definition['pattern'])] = re.compile(self._definition['pattern'])
-            with self.l('if not REGEX_PATTERNS["{}"].search({variable}):', self._definition['pattern']):
-                self.l('raise JsonSchemaException("{name} must match pattern {pattern}")')
+            safe_pattern = self._definition['pattern'].replace('"', '\\"')
+            self._compile_regexps[self._definition['pattern']] = re.compile(self._definition['pattern'])
+            with self.l('if not REGEX_PATTERNS["{}"].search({variable}):', safe_pattern):
+                self.l('raise JsonSchemaException("{name} must match pattern {}")', safe_pattern)
 
     def generate_format(self):
         """
@@ -240,6 +251,8 @@ def _generate_format(self, format_name, regexp_name, regexp):
 
     def generate_minimum(self):
         with self.l('if isinstance({variable}, (int, float)):'):
+            if not isinstance(self._definition['minimum'], (int, float)):
+                raise JsonSchemaDefinitionException('minimum must be a number')
             if self._definition.get('exclusiveMinimum', False):
                 with self.l('if {variable} <= {minimum}:'):
                     self.l('raise JsonSchemaException("{name} must be bigger than {minimum}")')
@@ -249,6 +262,8 @@ def generate_minimum(self):
 
     def generate_maximum(self):
         with self.l('if isinstance({variable}, (int, float)):'):
+            if not isinstance(self._definition['maximum'], (int, float)):
+                raise JsonSchemaDefinitionException('maximum must be a number')
             if self._definition.get('exclusiveMaximum', False):
                 with self.l('if {variable} >= {maximum}:'):
                     self.l('raise JsonSchemaException("{name} must be smaller than {maximum}")')
@@ -258,20 +273,26 @@ def generate_maximum(self):
 
     def generate_multiple_of(self):
         with self.l('if isinstance({variable}, (int, float)):'):
+            if not isinstance(self._definition['multipleOf'], (int, float)):
+                raise JsonSchemaDefinitionException('multipleOf must be a number')
             self.l('quotient = {variable} / {multipleOf}')
             with self.l('if int(quotient) != quotient:'):
                 self.l('raise JsonSchemaException("{name} must be multiple of {multipleOf}")')
 
     def generate_min_items(self):
         self.create_variable_is_list()
         with self.l('if {variable}_is_list:'):
+            if not isinstance(self._definition['minItems'], int):
+                raise JsonSchemaDefinitionException('minItems must be a number')
             self.create_variable_with_length()
             with self.l('if {variable}_len < {minItems}:'):
                 self.l('raise JsonSchemaException("{name} must contain at least {minItems} items")')
 
     def generate_max_items(self):
         self.create_variable_is_list()
         with self.l('if {variable}_is_list:'):
+            if not isinstance(self._definition['maxItems'], int):
+                raise JsonSchemaDefinitionException('maxItems must be a number')
             self.create_variable_with_length()
             with self.l('if {variable}_len > {maxItems}:'):
                 self.l('raise JsonSchemaException("{name} must contain less than or equal to {maxItems} items")')
@@ -357,20 +378,26 @@ def generate_items(self):
     def generate_min_properties(self):
         self.create_variable_is_dict()
         with self.l('if {variable}_is_dict:'):
+            if not isinstance(self._definition['minProperties'], int):
+                raise JsonSchemaDefinitionException('minProperties must be a number')
             self.create_variable_with_length()
             with self.l('if {variable}_len < {minProperties}:'):
                 self.l('raise JsonSchemaException("{name} must contain at least {minProperties} properties")')
 
     def generate_max_properties(self):
         self.create_variable_is_dict()
         with self.l('if {variable}_is_dict:'):
+            if not isinstance(self._definition['maxProperties'], int):
+                raise JsonSchemaDefinitionException('maxProperties must be a number')
             self.create_variable_with_length()
             with self.l('if {variable}_len > {maxProperties}:'):
                 self.l('raise JsonSchemaException("{name} must contain less than or equal to {maxProperties} properties")')
 
     def generate_required(self):
         self.create_variable_is_dict()
         with self.l('if {variable}_is_dict:'):
+            if not isinstance(self._definition['required'], (list, tuple)):
+                raise JsonSchemaDefinitionException('required must be an array')
             self.create_variable_with_length()
             with self.l('if not all(prop in {variable} for prop in {required}):'):
                 self.l('raise JsonSchemaException("{name} must contain {required} properties")')

fastjsonschema/draft06.py

@@ -1,4 +1,5 @@
 from .draft04 import CodeGeneratorDraft04, JSON_TYPE_TO_PYTHON_TYPE
+from .exceptions import JsonSchemaDefinitionException
 from .generator import enforce_list
 
 
@@ -53,7 +54,10 @@ def generate_type(self):
             {'type': ['string', 'number']}
         """
         types = enforce_list(self._definition['type'])
-        python_types = ', '.join(JSON_TYPE_TO_PYTHON_TYPE.get(t) for t in types)
+        try:
+            python_types = ', '.join(JSON_TYPE_TO_PYTHON_TYPE[t] for t in types)
+        except KeyError as exc:
+            raise JsonSchemaDefinitionException('Unknown type: {}'.format(exc))
 
         extra = ''
 
@@ -70,11 +74,15 @@ def generate_type(self):
 
     def generate_exclusive_minimum(self):
         with self.l('if isinstance({variable}, (int, float)):'):
+            if not isinstance(self._definition['exclusiveMinimum'], (int, float)):
+                raise JsonSchemaDefinitionException('exclusiveMinimum must be an integer or a float')
             with self.l('if {variable} <= {exclusiveMinimum}:'):
                 self.l('raise JsonSchemaException("{name} must be bigger than {exclusiveMinimum}")')
 
     def generate_exclusive_maximum(self):
         with self.l('if isinstance({variable}, (int, float)):'):
+            if not isinstance(self._definition['exclusiveMaximum'], (int, float)):
+                raise JsonSchemaDefinitionException('exclusiveMaximum must be an integer or a float')
             with self.l('if {variable} >= {exclusiveMaximum}:'):
                 self.l('raise JsonSchemaException("{name} must be smaller than {exclusiveMaximum}")')
 

fastjsonschema/exceptions.py

@@ -7,3 +7,9 @@ class JsonSchemaException(ValueError):
     def __init__(self, message):
         super().__init__(message)
         self.message = message
+
+
+class JsonSchemaDefinitionException(JsonSchemaException):
+    """
+    Exception raised by generator of validation function.
+    """

tests/conftest.py

@@ -10,14 +10,14 @@
 import pytest
 
 from fastjsonschema import JsonSchemaException, compile
-from fastjsonschema.draft04 import CodeGeneratorDraft04
+from fastjsonschema.draft07 import CodeGeneratorDraft07
 
 
 @pytest.fixture
 def asserter():
     def f(definition, value, expected):
         # When test fails, it will show up code.
-        code_generator = CodeGeneratorDraft04(definition)
+        code_generator = CodeGeneratorDraft07(definition)
         print(code_generator.func_code)
         pprint(code_generator.global_state)
 

tests/test_security.py

@@ -0,0 +1,43 @@
+import pytest
+
+from fastjsonschema import JsonSchemaDefinitionException, compile
+
+
+@pytest.mark.parametrize('schema', [
+    {'type': 'validate(10)'},
+    {'enum': 'validate(10)'},
+    {'minLength': 'validate(10)'},
+    {'maxLength': 'validate(10)'},
+    {'minimum': 'validate(10)'},
+    {'maximum': 'validate(10)'},
+    {'multipleOf': 'validate(10)'},
+    {'minItems': 'validate(10)'},
+    {'maxItems': 'validate(10)'},
+    {'minProperties': 'validate(10)'},
+    {'maxProperties': 'validate(10)'},
+    {'required': 'validate(10)'},
+    {'exclusiveMinimum': 'validate(10)'},
+    {'exclusiveMaximum': 'validate(10)'},
+])
+def test_not_generate_code_from_definition(schema):
+    with pytest.raises(JsonSchemaDefinitionException):
+        compile({
+            '$schema': 'http://json-schema.org/draft-07/schema',
+            **schema
+        })
+
+
+@pytest.mark.parametrize('schema,value', [
+    ({'const': 'validate(10)'}, 'validate(10)'),
+    ({'pattern': '" + validate("10") + "'}, '"  validate"10"  "'),
+    ({'pattern': "' + validate('10') + '"}, '\'  validate\'10\'  \''),
+    ({'pattern': "' + validate(\"10\") + '"}, '\'  validate"10"  \''),
+    ({'properties': {
+        'validate(10)': {'type': 'string'},
+    }}, {'validate(10)': '10'}),
+])
+def test_generate_code_with_proper_variable_names(asserter, schema, value):
+    asserter({
+        '$schema': 'http://json-schema.org/draft-07/schema',
+        **schema
+    }, value, value)