From e1d459cf0baa04f7800649106bf7ccf9ee07ebf6 Mon Sep 17 00:00:00 2001 From: ZeroPath Date: Mon, 7 Jul 2025 22:41:50 +0000 Subject: [PATCH] fix: replace insecure pickle serialization with JSON encoding for cookies --- owasp-top10-2021-apps/a8/amarelo-designs/app/app.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py b/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py index 92e24231e..93d2e0fa1 100644 --- a/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py +++ b/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py @@ -2,8 +2,8 @@ from flask import Flask, request, make_response, render_template, redirect, flash import uuid -import pickle import base64 +import json app = Flask(__name__) @@ -20,8 +20,8 @@ def login(): if username == "admin" and password == "admin": token = str(uuid.uuid4().hex) cookie = { "username":username, "admin":True, "sessionId":token } - pickle_resultado = pickle.dumps(cookie) - encodedSessionCookie = base64.b64encode(pickle_resultado) + json_data = json.dumps(cookie) + encodedSessionCookie = base64.b64encode(json_data.encode('utf-8')) resp = make_response(redirect("/user")) resp.set_cookie("sessionId", encodedSessionCookie) return resp @@ -37,7 +37,7 @@ def userInfo(): cookie = request.cookies.get("sessionId") if cookie == None: return "Não Autorizado!" - cookie = pickle.loads(base64.b64decode(cookie)) + cookie = json.loads(base64.b64decode(cookie).decode('utf-8')) return render_template('user.html')