External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-04 10:11:05 -03:30
Code Issues Packages Projects Releases Wiki Activity

prohibit API payloads that represent something other than a JSON object

Browse Source 
The JSON serializer for our API uses ``json.loads``, which permits *any*
valid JSON (including bare integers, boolean values, etc).  Lots of our
code, however, assumes that inbound JSON content will be a dict.

see: #4756
This commit is contained in:
Ryan Petrello
2017-01-20 09:10:19 -05:00
parent e5cfa51410
commit d97ff57cda
2 changed files with 21 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
awx/api/parsers.py
View File

@@ -26,6 +26,9 @@ class JSONParser(parsers.JSONParser):
try:
data = stream.read().decode(encoding)
return json.loads(data, object_pairs_hook=OrderedDict)
obj = json.loads(data, object_pairs_hook=OrderedDict)
if not isinstance(obj, dict):
raise ParseError(_('JSON parse error - not a JSON object'))
return obj
except ValueError as exc:
raise ParseError(_('JSON parse error - %s') % six.text_type(exc))