Replace insecure pickle deserialization of cookies with safe JSON deserialization to prevent arbitrary code execution.

[zeropath-ai-dev]

Summary

• The Vulnerability Description: The application previously deserialized user-controlled cookies using pickle.loads, making it vulnerable to insecure deserialization and potential arbitrary code execution if an attacker provided a malicious payload.
• This Fix: The code now replaces pickle with Python's json library to safely encode and decode session data, preventing the execution of arbitrary code embedded in cookies.
• The Cause of the Issue: Using pickle.loads on untrusted user input allowed attackers to craft cookies containing code that would be executed during deserialization, resulting in a critical security risk.
• The Patch Implementation: The patch transitions from using pickle.dumps/loads to json.dumps/loads, ensuring that session cookies are safely serialized and deserialized as plain data without executing embedded Python objects or code.

Vulnerability Details

• Vulnerability Class: Insecure Deserialization
• Severity: 10.0
• Affected File: owasp-top10-2021-apps/a8/amarelo-designs/app/app.py
• Vulnerable Lines: 40-40

Code Snippets

diff --git a/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py b/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py
index 92e24231..ff4f0e35 100644
--- a/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py
+++ b/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py
@@ -4,6 +4,7 @@ from flask import Flask, request, make_response, render_template, redirect, flas
 import uuid
 import pickle
 import base64
+import json
 app = Flask(__name__)
 
 
@@ -20,7 +21,7 @@ def login():
         if username == "admin" and password == "admin":
             token = str(uuid.uuid4().hex)
             cookie = { "username":username, "admin":True, "sessionId":token }
-            pickle_resultado = pickle.dumps(cookie)
+            pickle_resultado = json.dumps(cookie).encode('utf-8')
             encodedSessionCookie = base64.b64encode(pickle_resultado)
             resp = make_response(redirect("/user"))
             resp.set_cookie("sessionId", encodedSessionCookie)
@@ -37,7 +38,7 @@ def userInfo():
     cookie = request.cookies.get("sessionId")
     if cookie == None:
         return "Não Autorizado!"
-    cookie = pickle.loads(base64.b64decode(cookie))
+    cookie = json.loads(base64.b64decode(cookie).decode('utf-8'))
 
     return render_template('user.html')
     

How to Modify the Patch

You can modify this patch by using one of the two methods outlined below. We recommend using the @zeropath-ai-dev bot for updating the code. If you encounter any bugs or issues with the patch, please report them here.

Ask @zeropath-ai-dev!

To request modifications, please post a comment beginning with @zeropath-ai-dev and specify the changes required.

@zeropath-ai-dev will then implement the requested adjustments and commit them to the specified branch in this pull request. Our bot is capable of managing changes across multiple files and various development-related requests.

Manually Modify the Files

# Checkout created branch:
git checkout zvuln_fix_insecure_deserialization_1752116834403000

# if vscode is installed run (or use your favorite editor / IDE):
code owasp-top10-2021-apps/a8/amarelo-designs/app/app.py

# Add, commit, and push changes:
git add -A
git commit -m "Update generated patch with x, y, and z changes."
git push zvuln_fix_insecure_deserialization_1752116834403000