Replace insecure Pickle deserialization in cookie handling with safe JSON serialization to prevent remote code execution.

[zeropath-ai]

Summary

• The Vulnerability Description: The application previously deserialized cookie data using pickle.loads on user-supplied values, which allowed attackers to execute arbitrary code on the server by sending crafted cookie payloads—an insecure deserialization vulnerability.
• This Fix: The patch replaces Python's pickle deserialization in cookie processing with json.loads, significantly reducing the risk of code execution from malicious cookie data.
• The Cause of the Issue: Using pickle to deserialize untrusted data is insecure because pickle will process almost any Python object, enabling attackers to trigger harmful operations with specially crafted payloads.
• The Patch Implementation: The code now serializes cookies as JSON before base64 encoding, and deserializes them using JSON after decoding—removing pickle entirely to ensure only safe, JSON-compatible data structures can be handled.

Vulnerability Details

• Vulnerability Class: Insecure Deserialization
• Severity: 10.0
• Affected File: owasp-top10-2021-apps/a8/amarelo-designs/app/app.py
• Vulnerable Lines: 40-40

Code Snippets

diff --git a/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py b/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py
index 92e24231..e02c418f 100644
--- a/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py
+++ b/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py
@@ -2,7 +2,7 @@
 
 from flask import Flask, request, make_response, render_template, redirect, flash
 import uuid
-import pickle
+import json
 import base64
 app = Flask(__name__)
 
@@ -20,8 +20,8 @@ def login():
         if username == "admin" and password == "admin":
             token = str(uuid.uuid4().hex)
             cookie = { "username":username, "admin":True, "sessionId":token }
-            pickle_resultado = pickle.dumps(cookie)
-            encodedSessionCookie = base64.b64encode(pickle_resultado)
+            json_bytes = json.dumps(cookie).encode('utf-8')
+            encodedSessionCookie = base64.b64encode(json_bytes)
             resp = make_response(redirect("/user"))
             resp.set_cookie("sessionId", encodedSessionCookie)
             return resp
@@ -37,7 +37,8 @@ def userInfo():
     cookie = request.cookies.get("sessionId")
     if cookie == None:
         return "Não Autorizado!"
-    cookie = pickle.loads(base64.b64decode(cookie))
+    decoded = base64.b64decode(cookie)
+    cookie = json.loads(decoded.decode('utf-8'))
 
     return render_template('user.html')
     

How to Modify the Patch

You can modify this patch by using one of the two methods outlined below. We recommend using the @zeropath-ai bot for updating the code. If you encounter any bugs or issues with the patch, please report them here.

Ask @zeropath-ai!

To request modifications, please post a comment beginning with @zeropath-ai and specify the changes required.

@zeropath-ai will then implement the requested adjustments and commit them to the specified branch in this pull request. Our bot is capable of managing changes across multiple files and various development-related requests.

Manually Modify the Files

# Checkout created branch:
git checkout zvuln_fix_insecure_deserialization_1751928023847961

# if vscode is installed run (or use your favorite editor / IDE):
code owasp-top10-2021-apps/a8/amarelo-designs/app/app.py

# Add, commit, and push changes:
git add -A
git commit -m "Update generated patch with x, y, and z changes."
git push zvuln_fix_insecure_deserialization_1751928023847961

[rek7]

@zeropath-ai add ccomments to rizz this up

[zeropath-ai]

As per your comment, the following code change has been committed:

diff --git a/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py b/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py
index e02c418f..a41f06a0 100644
--- a/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py
+++ b/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py
@@ -7,10 +7,12 @@ import base64
 app = Flask(__name__)
 
 
+# Home sweet home: render the landing page
 @app.route("/")
 def ola():
     return render_template('index.html')
 
+# Admin login flow: only for the big boss
 @app.route("/admin", methods=['GET','POST'])
 def login():
     if request.method == 'POST':
@@ -20,6 +22,7 @@ def login():
         if username == "admin" and password == "admin":
             token = str(uuid.uuid4().hex)
             cookie = { "username":username, "admin":True, "sessionId":token }
+            # Rolling with JSON serialization + base64 for that secret sauce
             json_bytes = json.dumps(cookie).encode('utf-8')
             encodedSessionCookie = base64.b64encode(json_bytes)
             resp = make_response(redirect("/user"))
@@ -37,13 +40,17 @@ def userInfo():
     cookie = request.cookies.get("sessionId")
     if cookie == None:
         return "Não Autorizado!"
+    # Decode the good vibes from our secure cookie
     decoded = base64.b64decode(cookie)
+    # Unwrap JSON to get the session details
     cookie = json.loads(decoded.decode('utf-8'))
 
+    # Show user dashboard, enjoy the ride!
     return render_template('user.html')
     
 
 
 
 if __name__ == '__main__':
+    # All aboard the server express!
     app.run(debug=True,host='0.0.0.0')

[rek7]

@zeropath-ai what does this fix do?

[zeropath-ai]

This fix replaces the use of Python's pickle module for serializing and deserializing session cookie data with JSON serialization. Previously, the application used pickle to process user-supplied cookie data, which is a serious security risk because pickle can execute arbitrary code when deserializing malicious input. The patch uses json.dumps and json.loads instead, allowing only plain data types to be processed and eliminating the insecure deserialization vulnerability.

Key points:

• The code now serializes the session data to JSON, encodes it with base64, and stores it in the session cookie.
• When reading the cookie, it base64-decodes the value and parses it with json.loads.
• This prevents attackers from exploiting pickle’s unsafe behavior with crafted cookies.
• The main security improvement is the removal of the risk of remote code execution via maliciously crafted session cookies.