Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Questions about vulnerabilities in Indy Plenum dependencies #1680

Open
swcurran opened this issue Sep 12, 2024 · 3 comments
Open

Questions about vulnerabilities in Indy Plenum dependencies #1680

swcurran opened this issue Sep 12, 2024 · 3 comments

Comments

@swcurran
Copy link
Member

What is the impact of these vulnerabilities on the currently released version of Indy Plenum?
@swcurran swcurran changed the title Questions about Questions about vulnerabilities in Indy Plenum dependencies Sep 12, 2024
@KimEbert42
Copy link
Contributor

There are significant changes in the ujson library from 1.33 to a version that doesn't contain a vulnerability.

git diff --stat 4e4dc5e..5.4.0 

 104 files changed, 332889 insertions(+), 2911 deletions(-)

The ujson impacts the following files:

common/serializers/json_serializer.py:    import ujson as json
common/serializers/json_serializer.py:    from ujson import encode as uencode
plenum/test/recorder/test_recorder.py:    import ujson as json
plenum/recorder/recorder.py:    import ujson as json
scripts/test_zmq/test_zmq/zstack.py:    import ujson as json
stp_zmq/zstack.py:    import ujson as json

The calls inside of Indy Plenum to ujson include

from ujson import encode as uencode
json.loads
json.dumps

Testing possible upgrade path.

docker run -it ubuntu:20.04

mkdir tmp/test
cd tmp/test
apt update -y && apt install -y python3-pip
pip3 install ujson==1.33
python3
from ujson import encode as uencode
uencode({'xx': '123', 'aa': 90}, sort_keys=True)

# Uencode causes and exception to be thrown because 1.33 doesn't contain sort_keys, so the json library is used in the case. uencode is only used in common/serializers/json_serializer.py, so Indy Plenum does not use ujson uencode in the main branch.

quit()

pip3 install ujson==5.4.0

python3
from ujson import encode as uencode
uencode({'xx': '123', 'aa': 90}, sort_keys=True)
from ujson import loads
from ujson import dumps

It appears that the interfaces between ujson versions has been maintained, and it may simply involve upgrading the version of ujson to use a version that doesn't have the vulnerability.

It may also be possible to use the native Python json libary, as the Indy Plenum calls include falling back to the json library. This would allow us to simply drop the use of ujson if desired.

try:
    import ujson as json
except ImportError:
    import json

@swcurran
Copy link
Member Author

Thanks. Any idea if the ujson High vulnerability issue is being used in Plenum, or is the vulnerability description insufficiently detailed to determine that?

@PatStLouis
Copy link
Contributor

sha3 was removed from the library:
#1679

testing removal of ujson:
#1676

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@KimEbert42 @swcurran @PatStLouis