Potential impactful vulnerability in CPython


Recently, a vulnerability (CVE-2020-10735) was discovered in CPython. CPython is the original and most widely used Python implementation. If this is the first time you are hearing of it then you are most likely using it to run your own Python scripts without realising. The discovered vulnerability makes it extremely easy for attackers to perform Denial Of Service (DOS) attacks against Python applications–such as those that run Sanic–by forcing large int to str conversions. This is caused by the way that Python works with integers under the hood, and how it converts data between those two types.

How does this affect you as a Sanic user?

In short: it probably does not.

By default, Sanic makes use of the ujson package to encode and decode JSON data. This package limits the size of numbers allowed in its default configuration, unlike CPython’s standard conversion. Therefore, if you work mostly with JSON data, you have not replaced the encoder that Sanic provides by default, and you have not removed ujson from your Sanic installation, you are probably safe!

What if I use other data formats or encoders?

In such case, it is possible that you are vulnerable to this. Other encoders like orjson that also limit integer sizes are likely also safe from this vulnerability. Ultimately it depends upon whether you are validating your inputs and what you are doing with your data. If you limit all of your input lengths to something reasonable before casting them between int and str, you are probably safe.

How can I mitigate this problem?

Steps are already underway to fix the issue. You should upgrade your Python version to the latest applicable patch release. As more information is available, we will update this thread. Also, you can join our Discord server if you have specific questions relating to this.

Where can I read more about the vulnerability?

1 Like