Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Does JSON allowing duplicate keys affect TUF security?

See original GitHub issue

Although we use objects/dictionaries/associate arrays in JSON to ensure that the TUF updater would not associate multiple values with the same key, note that this does not prevent duplicate keys from being transmitted in the JSON anyway. Furthermore, a JSON deserializer may not warn about duplicate keys. For example, in Python now:

>>> import json; d=json.loads('{"foo":"bar","foo":"baz"}'); print(d['foo'])
baz

I haven’t thought through whether this has security implications, but I wonder whether this may be worth considering.

Issue Analytics

State:
Created 7 years ago
Comments:5 (3 by maintainers)

Top GitHub Comments

1reaction

rbtcollinscommented, Jan 29, 2020

I agree. I think it is a property of any serialization scheme where the behaviour of repeated keys in a hash is implementation defined. First-key, Last-key or multi-map can all be secure, but “implementors choose a strategy they prefer” much less so.

0reactions

jkucommented, Feb 17, 2022

we could create our own object_pairs_hook to error/warn if we see duplicate keys in deserialization but I don’t think this will end up on top of my TODO list … and looks like this opinion is shared as nothing has happened here in six years.

I think I’ll close this: If this was meant to be a specification issue instead of python-tuf issue, please file in https://github.com/theupdateframework/specification/issues (for the record, I think “last-key-wins” is the right choice as it tends to Just Work, but explicitly erroring out on duplicates would be doable as well)