Recently, a vulnerability (CVE-2020-10735) was discovered in CPython. CPython is the original and most widely used Python implementation. If this is the first time you are hearing of it then you are most likely using it to run your own Python scripts without realising. The discovered vulnerability makes it extremely easy for attackers to perform Denial Of Service (DOS) attacks against Python applications–such as those that run Sanic–by forcing large
str conversions. This is caused by the way that Python works with integers under the hood, and how it converts data between those two types.
In short: it probably does not.
By default, Sanic makes use of the
ujson package to encode and decode JSON data. This package limits the size of numbers allowed in its default configuration, unlike CPython’s standard conversion. Therefore, if you work mostly with JSON data, you have not replaced the encoder that Sanic provides by default, and you have not removed
ujson from your Sanic installation, you are probably safe!
In such case, it is possible that you are vulnerable to this. Other encoders like
orjson that also limit integer sizes are likely also safe from this vulnerability. Ultimately it depends upon whether you are validating your inputs and what you are doing with your data. If you limit all of your input lengths to something reasonable before casting them between
str, you are probably safe.
Steps are already underway to fix the issue. You should upgrade your Python version to the latest applicable patch release. As more information is available, we will update this thread. Also, you can join our Discord server if you have specific questions relating to this.