Django v3.2 broken admin interface due to malicious JSON value

[h...@jfilter.de]

Hello everybody,

I’ve used a fuzzer on my Django v3.2 project that resulted in a broken admin interface. I’m not sure whether this is a bug or a rough edge case.

I’m using Python 3.9.13 with Django 3.2.18 with Postgres.

I have a Model with a JSONField and also added the model to my admin view (I don’t use the JSON field on the list view / filter)

```
    data = models.JSONField(null=True, blank=True)
```

The fuzzer added (via an API view) a string with 10,000 characters to the data field. 

Every time I want to open the admin list view (and the malicious object is part of the page), my Django crashes with the following message:

> ValueError
> 
> Exceeds the limit (4300) for integer string conversion: value has 10000 digits; use sys.set_int_max_str_digits() to increase the limit

I have attached my Sentry stack trace as a screenshot.

If this is an intended behavior, I have to validate the data to prevent malicious strings. But it feels like the admin interface should be able to handle those JSON values.

It looks like the Python releases in Sep 2022 have to do with this bug/edge case: https://mail.python.org/archives/list/pytho...@python.org/message/B25APD6FF27NJWKTEGAFRUDNSVVAFIHQ/

Kind Regards,

Johannes

[Mike Dewhirst]

On 8/03/2023 7:49 am, hi via Django users wrote:

Hello everybody,

I’ve used a fuzzer on my Django v3.2 project that resulted in a broken admin interface. I’m not sure whether this is a bug or a rough edge case.

I’m using Python 3.9.13 with Django 3.2.18 with Postgres.

I have a Model with a JSONField and also added the model to my admin view (I don’t use the JSON field on the list view / filter)

```
    data = models.JSONField(null=True, blank=True)
```

The fuzzer added (via an API view) a string with 10,000 characters to the data field. 

Every time I want to open the admin list view (and the malicious object is part of the page), my Django crashes with the following message:

It appears the fix introduced the ValueError in the following version to the one you are using hence fuzzing is probably finding a different problem.

Everything I have read in Django docs about collecting external input warns against letting stuff in unfiltered.

Perhaps you do have to prevent malicious strings. I think I would.

> ValueError
> 
> Exceeds the limit (4300) for integer string conversion: value has 10000 digits; use sys.set_int_max_str_digits() to increase the limit

I have attached my Sentry stack trace as a screenshot.

If this is an intended behavior, I have to validate the data to prevent malicious strings. But it feels like the admin interface should be able to handle those JSON values.

It looks like the Python releases in Sep 2022 have to do with this bug/edge case: https://mail.python.org/archives/list/pytho...@python.org/message/B25APD6FF27NJWKTEGAFRUDNSVVAFIHQ/

Kind Regards,

Johannes

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/6172A96F-F5FD-4694-9597-DFA815297945%40jfilter.de.

-- 
Signed email is an absolute defence against phishing. This email has
been signed with my private key. If you import my public key you can
automatically decrypt my signature and be sure it came from me. Your
email software can handle signing.

[Johannes Filter]

Thanks for the hint. I indeed used the fuzzer a while ago with an older Python version. I just tried to save this kind of string and I now receive the same `ValueError` when the malicious string would get saved to the DB.