Skip JSON parsing if Content-Type is mismatched

sloria · sloria · commit 74fada601a31 · 2020-01-28T19:20:36.000-05:00
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -1,6 +1,13 @@
 Changelog
 ---------
 
+5.5.3 (unreleased)
+******************
+
+Bug fixes:
+
+* :cve:`CVE-2020-7965`: Don't attempt to parse JSON if the request's Content-Type is mismatched.
+
 5.5.2 (2019-10-06)
 ******************
 
diff --git a/src/webargs/bottleparser.py b/src/webargs/bottleparser.py
@@ -32,6 +32,11 @@ def parse_querystring(self, req, name, field):
 
     def parse_form(self, req, name, field):
         """Pull a form value from the request."""
+        # For consistency with other parsers' behavior, don't attempt to
+        #  parse if content-type is mismatched.
+        #  TODO: Make this check more specific
+        if core.is_json(req.content_type):
+            return core.missing
         return core.get_value(req.forms, name, field)
 
     def parse_json(self, req, name, field):
diff --git a/src/webargs/djangoparser.py b/src/webargs/djangoparser.py
@@ -45,6 +45,9 @@ def parse_json(self, req, name, field):
         """Pull a json value from the request body."""
         json_data = self._cache.get("json")
         if json_data is None:
+            if not core.is_json(req.content_type):
+                return core.missing
+
             try:
                 self._cache["json"] = json_data = core.parse_json(req.body)
             except AttributeError:
diff --git a/src/webargs/flaskparser.py b/src/webargs/flaskparser.py
@@ -61,6 +61,9 @@ def parse_json(self, req, name, field):
         """Pull a json value from the request."""
         json_data = self._cache.get("json")
         if json_data is None:
+            if not is_json_request(req):
+                return core.missing
+
             # We decode the json manually here instead of
             # using req.get_json() so that we can handle
             # JSONDecodeErrors consistently
diff --git a/src/webargs/pyramidparser.py b/src/webargs/pyramidparser.py
@@ -57,6 +57,9 @@ def parse_json(self, req, name, field):
         """Pull a json value from the request."""
         json_data = self._cache.get("json")
         if json_data is None:
+            if not core.is_json(req.content_type):
+                return core.missing
+
             try:
                 self._cache["json"] = json_data = core.parse_json(req.body, req.charset)
             except json.JSONDecodeError as e:
diff --git a/src/webargs/testing.py b/src/webargs/testing.py
@@ -217,3 +217,18 @@ def test_invalid_json(self, testapp):
         )
         assert res.status_code == 400
         assert res.json == {"json": ["Invalid JSON body."]}
+
+    @pytest.mark.parametrize(
+        ("path", "payload", "content_type"),
+        [
+            (
+                "/echo_json",
+                json.dumps({"name": "foo"}),
+                "application/x-www-form-urlencoded",
+            ),
+            ("/echo_form", {"name": "foo"}, "application/json"),
+        ],
+    )
+    def test_content_type_mismatch(self, testapp, path, payload, content_type):
+        res = testapp.post(path, payload, headers={"Content-Type": content_type})
+        assert res.json == {"name": "World"}
diff --git a/src/webargs/webapp2parser.py b/src/webargs/webapp2parser.py
@@ -41,6 +41,9 @@ def parse_json(self, req, name, field):
         """Pull a json value from the request."""
         json_data = self._cache.get("json")
         if json_data is None:
+            if not core.is_json(req.content_type):
+                return core.missing
+
             try:
                 self._cache["json"] = json_data = core.parse_json(req.body)
             except json.JSONDecodeError as e:
diff --git a/tests/apps/aiohttp_app.py b/tests/apps/aiohttp_app.py
@@ -44,6 +44,16 @@ async def echo_query(request):
     return json_response(parsed)
 
 
+async def echo_json(request):
+    parsed = await parser.parse(hello_args, request, locations=("json",))
+    return json_response(parsed)
+
+
+async def echo_form(request):
+    parsed = await parser.parse(hello_args, request, locations=("form",))
+    return json_response(parsed)
+
+
 @use_args(hello_args)
 async def echo_use_args(request, args):
     return json_response(args)
@@ -170,6 +180,8 @@ def create_app():
 
     add_route(app, ["GET", "POST"], "/echo", echo)
     add_route(app, ["GET"], "/echo_query", echo_query)
+    add_route(app, ["POST"], "/echo_json", echo_json)
+    add_route(app, ["POST"], "/echo_form", echo_form)
     add_route(app, ["GET", "POST"], "/echo_use_args", echo_use_args)
     add_route(app, ["GET", "POST"], "/echo_use_kwargs", echo_use_kwargs)
     add_route(app, ["GET", "POST"], "/echo_use_args_validated", echo_use_args_validated)
diff --git a/tests/apps/bottle_app.py b/tests/apps/bottle_app.py
@@ -32,6 +32,16 @@ def echo_query():
     return parser.parse(hello_args, request, locations=("query",))
 
 
+@app.route("/echo_json", method=["POST"])
+def echo_json():
+    return parser.parse(hello_args, request, locations=("json",))
+
+
+@app.route("/echo_form", method=["POST"])
+def echo_form():
+    return parser.parse(hello_args, request, locations=("form",))
+
+
 @app.route("/echo_use_args", method=["GET", "POST"])
 @use_args(hello_args)
 def echo_use_args(args):
diff --git a/tests/apps/django_app/base/urls.py b/tests/apps/django_app/base/urls.py
@@ -5,6 +5,8 @@
 urlpatterns = [
     url(r"^echo$", views.echo),
     url(r"^echo_query$", views.echo_query),
+    url(r"^echo_json$", views.echo_json),
+    url(r"^echo_form$", views.echo_form),
     url(r"^echo_use_args$", views.echo_use_args),
     url(r"^echo_use_kwargs$", views.echo_use_kwargs),
     url(r"^echo_multi$", views.echo_multi),
diff --git a/tests/apps/django_app/echo/views.py b/tests/apps/django_app/echo/views.py
@@ -37,6 +37,14 @@ def echo_query(request):
     return json_response(parser.parse(hello_args, request, locations=("query",)))
 
 
+def echo_json(request):
+    return json_response(parser.parse(hello_args, request, locations=("json",)))
+
+
+def echo_form(request):
+    return json_response(parser.parse(hello_args, request, locations=("form",)))
+
+
 @use_args(hello_args)
 def echo_use_args(request, args):
     return json_response(args)
diff --git a/tests/apps/falcon_app.py b/tests/apps/falcon_app.py
@@ -37,6 +37,18 @@ def on_get(self, req, resp):
         resp.body = json.dumps(parsed)
 
 
+class EchoJSON(object):
+    def on_post(self, req, resp):
+        parsed = parser.parse(hello_args, req, locations=("json",))
+        resp.body = json.dumps(parsed)
+
+
+class EchoForm(object):
+    def on_post(self, req, resp):
+        parsed = parser.parse(hello_args, req, locations=("form",))
+        resp.body = json.dumps(parsed)
+
+
 class EchoUseArgs(object):
     @use_args(hello_args)
     def on_get(self, req, resp, args):
@@ -144,6 +156,8 @@ def create_app():
     app = falcon.API()
     app.add_route("/echo", Echo())
     app.add_route("/echo_query", EchoQuery())
+    app.add_route("/echo_json", EchoJSON())
+    app.add_route("/echo_form", EchoForm())
     app.add_route("/echo_use_args", EchoUseArgs())
     app.add_route("/echo_use_kwargs", EchoUseKwargs())
     app.add_route("/echo_use_args_validated", EchoUseArgsValidated())
diff --git a/tests/apps/flask_app.py b/tests/apps/flask_app.py
@@ -37,6 +37,16 @@ def echo_query():
     return J(parser.parse(hello_args, request, locations=("query",)))
 
 
+@app.route("/echo_json", methods=["POST"])
+def echo_json():
+    return J(parser.parse(hello_args, request, locations=("json",)))
+
+
+@app.route("/echo_form", methods=["POST"])
+def echo_form():
+    return J(parser.parse(hello_args, request, locations=("form",)))
+
+
 @app.route("/echo_use_args", methods=["GET", "POST"])
 @use_args(hello_args)
 def echo_use_args(args):
diff --git a/tests/apps/pyramid_app.py b/tests/apps/pyramid_app.py
@@ -34,6 +34,14 @@ def echo_query(request):
     return parser.parse(hello_args, request, locations=("query",))
 
 
+def echo_json(request):
+    return parser.parse(hello_args, request, locations=("json",))
+
+
+def echo_form(request):
+    return parser.parse(hello_args, request, locations=("form",))
+
+
 @use_args(hello_args)
 def echo_use_args(request, args):
     return args
@@ -128,6 +136,8 @@ def create_app():
 
     add_route(config, "/echo", echo)
     add_route(config, "/echo_query", echo_query)
+    add_route(config, "/echo_json", echo_json)
+    add_route(config, "/echo_form", echo_form)
     add_route(config, "/echo_use_args", echo_use_args)
     add_route(config, "/echo_use_args_validated", echo_use_args_validated)
     add_route(config, "/echo_use_kwargs", echo_use_kwargs)
diff --git a/tests/test_webapp2parser.py b/tests/test_webapp2parser.py
@@ -61,6 +61,15 @@ def test_parse_json():
     assert parser.parse(hello_args, req=request) == expected
 
 
+def test_parse_json_content_type_mismatch():
+    request = webapp2.Request.blank(
+        "/echo_json",
+        POST=json.dumps({"name": "foo"}),
+        headers={"content-type": "application/x-www-form-urlencoded"},
+    )
+    assert parser.parse(hello_args, req=request) == {"name": "World"}
+
+
 def test_parse_invalid_json():
     request = webapp2.Request.blank(
         "/echo", POST='{"foo": "bar", }', headers={"content-type": "application/json"}
