sdk/python/Deserialization/PyJson

PyJson

The json module for JSON encode / decode. Unlike pickle, json is safe by default — only parses primitives, lists, dicts. Still worth documenting because json.loads is a common source entry point and json.dumps on response values is where reflected XSS originates.

2 sources

Taint flow2 sources → 0 sinks

Sources — untrusted input

.loads()Parses a JSON string

.load()Parses JSON from a file

Sources

— user-controlled input enters here

.loads()Source

Signature

json.loads(s: str | bytes, ...) -> Any

Parses a JSON string. Safe by default. Source for user-controlled JSON input.

tracks:return

.load()Source

Signature

json.load(fp, ...) -> Any

Parses JSON from a file. Safe. Source when fp is user-controlled.

tracks:return

Other Methods

.dumps()Neutral

Signature

json.dumps(obj, *, ensure_ascii=True, ...) -> str

Serializes obj to JSON. Neutral.

.dump()Neutral

Signature

json.dump(obj, fp, ...) -> None

Writes JSON to a file. Neutral.

Fully-Qualified Names

FQN	Field
json	fqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyJson

← PreviousPyDefusedXml

Next →PyLxml