Replace insecure pickle-based session serialization with safe JSON serialization to prevent arbitrary code execution vulnerability.

[zeropath-ai-dev]

Summary

• The Vulnerability Description:
  The application used pickle for session cookie serialization and deserialization, which allowed attackers to craft malicious cookies and achieve arbitrary code execution if they could control the pickled data.

• This Fix:
  The code now uses json for session cookie serialization and deserialization, eliminating the risk of insecure code execution associated with pickle.

• The Cause of the Issue:
  pickle can execute arbitrary Python code during deserialization, making it unsafe for handling potentially attacker-controlled input like cookies.

• The Patch Implementation:
  All instances of pickle.dumps and pickle.loads for cookie data have been replaced with json.dumps and json.loads, ensuring only safe data formats are processed.

Vulnerability Details

• Vulnerability Class: Insecure Deserialization
• Severity: 10.0
• Affected File: owasp-top10-2021-apps/a8/amarelo-designs/app/app.py
• Vulnerable Lines: 23-24

Code Snippets

diff --git a/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py b/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py
index 92e24231..8189c68b 100644
--- a/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py
+++ b/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py
@@ -4,6 +4,7 @@ from flask import Flask, request, make_response, render_template, redirect, flas
 import uuid
 import pickle
 import base64
+import json
 app = Flask(__name__)
 
 
@@ -20,8 +21,8 @@ def login():
         if username == "admin" and password == "admin":
             token = str(uuid.uuid4().hex)
             cookie = { "username":username, "admin":True, "sessionId":token }
-            pickle_resultado = pickle.dumps(cookie)
-            encodedSessionCookie = base64.b64encode(pickle_resultado)
+            cookie_json = json.dumps(cookie).encode('utf-8')
+            encodedSessionCookie = base64.b64encode(cookie_json).decode('ascii')
             resp = make_response(redirect("/user"))
             resp.set_cookie("sessionId", encodedSessionCookie)
             return resp
@@ -37,7 +38,7 @@ def userInfo():
     cookie = request.cookies.get("sessionId")
     if cookie == None:
         return "Não Autorizado!"
-    cookie = pickle.loads(base64.b64decode(cookie))
+    cookie = json.loads(base64.b64decode(cookie).decode('utf-8'))
 
     return render_template('user.html')
     

How to Modify the Patch

You can modify this patch by using one of the two methods outlined below. We recommend using the @zeropath-ai-dev bot for updating the code. If you encounter any bugs or issues with the patch, please report them here.

Ask @zeropath-ai-dev!

To request modifications, please post a comment beginning with @zeropath-ai-dev and specify the changes required.

@zeropath-ai-dev will then implement the requested adjustments and commit them to the specified branch in this pull request. Our bot is capable of managing changes across multiple files and various development-related requests.

Manually Modify the Files

# Checkout created branch:
git checkout zvuln_fix_insecure_deserialization_1752116831476505

# if vscode is installed run (or use your favorite editor / IDE):
code owasp-top10-2021-apps/a8/amarelo-designs/app/app.py

# Add, commit, and push changes:
git add -A
git commit -m "Update generated patch with x, y, and z changes."
git push zvuln_fix_insecure_deserialization_1752116831476505