Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JSON DeserializeObject method security vulnerability #342

Closed
nszeitli opened this issue May 24, 2019 · 1 comment
Closed

JSON DeserializeObject method security vulnerability #342

nszeitli opened this issue May 24, 2019 · 1 comment
Labels
bug

Comments

@nszeitli
Copy link

Was just running some static analysis on your codebase using Pumascan and it was flagged that there could be an issue with the DeserializeObject method in SpotifyWebAPI.cs.

More details here: https://www.pumascan.com/rules/#sec0030-deserialization-newtonsoft-json
@JohnnyCrazy
Copy link
Owner

Thanks for the report 👍

From the JSON .NET Docs:

TypeNameHandling should be used with caution when your application deserializes JSON from an external source. Incoming types should be validated with a custom SerializationBinder when deserializing with a value other than None.

We're not deserializing any kind of user input, only spotify responses. Thus, the only possibility of an attack would be a man-in-the-middle between the app and spotify, which is unlikely (HTTPS and stuff). However, I'm still not sure why it's in the code base. I can't think of any reason right now TBH,was there since the first commits 😅

Will test it without the setting and if tests succeed, I will remove it in an upcoming release!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JohnnyCrazy @nszeitli