Fix insecure deserialization by replacing pickle with JSON for session cookie handling in Python.

[zeropath-ai]

Summary

• The Vulnerability Description: The application previously deserialized user-controlled cookie data using pickle.loads, which is unsafe because pickle can execute arbitrary code, allowing attackers to gain remote code execution via malicious cookies.
• This Fix: The patch replaces insecure pickle deserialization with the safe json module, preventing execution of arbitrary code during deserialization.
• The Cause of the Issue: The vulnerability was caused by using pickle to load untrusted data directly from a cookie without validation or sanitization, exposing the application to insecure deserialization attacks.
• The Patch Implementation: The code now serializes and deserializes cookie data using json.dumps and json.loads, a safer alternative that only handles standard data types and does not allow code execution.

Vulnerability Details

• Vulnerability Class: Insecure Deserialization
• Severity: 10.0
• Affected File: owasp-top10-2021-apps/a8/amarelo-designs/app/app.py
• Vulnerable Lines: 40-40

Code Snippets

diff --git a/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py b/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py
index 92e24231..f4d1d167 100644
--- a/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py
+++ b/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py
@@ -2,6 +2,7 @@
 
 from flask import Flask, request, make_response, render_template, redirect, flash
 import uuid
+import json
 import pickle
 import base64
 app = Flask(__name__)
@@ -20,7 +21,7 @@ def login():
         if username == "admin" and password == "admin":
             token = str(uuid.uuid4().hex)
             cookie = { "username":username, "admin":True, "sessionId":token }
-            pickle_resultado = pickle.dumps(cookie)
+            pickle_resultado = json.dumps(cookie).encode('utf-8')
             encodedSessionCookie = base64.b64encode(pickle_resultado)
             resp = make_response(redirect("/user"))
             resp.set_cookie("sessionId", encodedSessionCookie)
@@ -37,7 +38,7 @@ def userInfo():
     cookie = request.cookies.get("sessionId")
     if cookie == None:
         return "Não Autorizado!"
-    cookie = pickle.loads(base64.b64decode(cookie))
+    cookie = json.loads(base64.b64decode(cookie).decode('utf-8'))
 
     return render_template('user.html')
     

How to Modify the Patch

You can modify this patch by using one of the two methods outlined below. We recommend using the @zeropath-ai bot for updating the code. If you encounter any bugs or issues with the patch, please report them here.

Ask @zeropath-ai!

To request modifications, please post a comment beginning with @zeropath-ai and specify the changes required.

@zeropath-ai will then implement the requested adjustments and commit them to the specified branch in this pull request. Our bot is capable of managing changes across multiple files and various development-related requests.

Manually Modify the Files

# Checkout created branch:
git checkout zvuln_fix_insecure_deserialization_1751930528364097

# if vscode is installed run (or use your favorite editor / IDE):
code owasp-top10-2021-apps/a8/amarelo-designs/app/app.py

# Add, commit, and push changes:
git add -A
git commit -m "Update generated patch with x, y, and z changes."
git push zvuln_fix_insecure_deserialization_1751930528364097