Replace insecure pickle serialization with safe JSON serialization for session cookies to prevent arbitrary code execution.

[zeropath-ai]

Summary

• The Vulnerability Description:
  The application previously serialized session cookies using pickle.dumps and later deserialized them with pickle.loads, which could allow attackers to execute arbitrary code if they tampered with the pickled cookie data.

• This Fix:
  The update replaces the use of Python’s insecure pickle module with the safer json module for serializing and deserializing session cookies.

• The Cause of the Issue:
  Using pickle for deserialization of user-controllable data is dangerous because pickle.loads can execute arbitrary Python code embedded in the payload, enabling a remote code execution (RCE) vulnerability.

• The Patch Implementation:
  The code now uses json.dumps and json.loads (with appropriate encoding/decoding) to handle session cookie serialization, eliminating the risk of code execution since json only processes primitive data types.

Vulnerability Details

• Vulnerability Class: Insecure Deserialization
• Severity: 10.0
• Affected File: owasp-top10-2021-apps/a8/amarelo-designs/app/app.py
• Vulnerable Lines: 23-24

Code Snippets

diff --git a/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py b/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py
index 92e24231..93d2e0fa 100644
--- a/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py
+++ b/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py
@@ -2,8 +2,8 @@
 
 from flask import Flask, request, make_response, render_template, redirect, flash
 import uuid
-import pickle
 import base64
+import json
 app = Flask(__name__)
 
 
@@ -20,8 +20,8 @@ def login():
         if username == "admin" and password == "admin":
             token = str(uuid.uuid4().hex)
             cookie = { "username":username, "admin":True, "sessionId":token }
-            pickle_resultado = pickle.dumps(cookie)
-            encodedSessionCookie = base64.b64encode(pickle_resultado)
+            json_data = json.dumps(cookie)
+            encodedSessionCookie = base64.b64encode(json_data.encode('utf-8'))
             resp = make_response(redirect("/user"))
             resp.set_cookie("sessionId", encodedSessionCookie)
             return resp
@@ -37,7 +37,7 @@ def userInfo():
     cookie = request.cookies.get("sessionId")
     if cookie == None:
         return "Não Autorizado!"
-    cookie = pickle.loads(base64.b64decode(cookie))
+    cookie = json.loads(base64.b64decode(cookie).decode('utf-8'))
 
     return render_template('user.html')
     

How to Modify the Patch

You can modify this patch by using one of the two methods outlined below. We recommend using the @zeropath-ai bot for updating the code. If you encounter any bugs or issues with the patch, please report them here.

Ask @zeropath-ai!

To request modifications, please post a comment beginning with @zeropath-ai and specify the changes required.

@zeropath-ai will then implement the requested adjustments and commit them to the specified branch in this pull request. Our bot is capable of managing changes across multiple files and various development-related requests.

Manually Modify the Files

# Checkout created branch:
git checkout zvuln_fix_insecure_deserialization_1751928058367820

# if vscode is installed run (or use your favorite editor / IDE):
code owasp-top10-2021-apps/a8/amarelo-designs/app/app.py

# Add, commit, and push changes:
git add -A
git commit -m "Update generated patch with x, y, and z changes."
git push zvuln_fix_insecure_deserialization_1751928058367820