Configure the JSON decoder for safer parsing

miguelgrinberg · miguelgrinberg · commit dd1db2ec6b75 · 2021-04-13T09:22:38.000+01:00
diff --git a/engineio/client.py b/engineio/client.py
@@ -1,5 +1,5 @@
 from base64 import b64encode
-from json import JSONDecodeError
+from engineio.json import JSONDecodeError
 import logging
 try:
     import queue
diff --git a/engineio/json.py b/engineio/json.py
@@ -0,0 +1,16 @@
+"""JSON-compatible module with sane defaults."""
+
+from json import *  # noqa: F401, F403
+from json import loads as original_loads
+
+
+def _safe_int(s):
+    if len(s) > 100:
+        raise ValueError('Integer is too large')
+    return int(s)
+
+
+def loads(*args, **kwargs):
+    if 'parse_int' not in kwargs:
+        kwargs['parse_int'] = _safe_int
+    return original_loads(*args, **kwargs)
diff --git a/engineio/packet.py b/engineio/packet.py
@@ -1,5 +1,5 @@
 import base64
-import json as _json
+from engineio import json as _json
 
 (OPEN, CLOSE, PING, PONG, MESSAGE, UPGRADE, NOOP) = (0, 1, 2, 3, 4, 5, 6)
 packet_names = ['OPEN', 'CLOSE', 'PING', 'PONG', 'MESSAGE', 'UPGRADE', 'NOOP']
