[Solved]-Django JSON De-serialization Security


By default when using simplejson, which is the default deserializer used by Django, the types of objects that can be converted from JSON into a Python object are limited. The only way this is not the case, is if you’re doing some kind of specialized decoding utilizing the optional arguments to the loads() or load() methods or your own JSONDecoder object.

So, as long as you’re using default decoding, you’re pretty safe. But, if you’re really concerned, you should be validating the loaded JSON data BEFORE you actually do anything with it.


I’m having trouble working out what you think could be insecure (or secure) about JSON.

JSON is a text-based data exchange format. It doesn’t have any security built-in. Django comes with some functions to serialize and deserialize querysets to JSON. But these can’t be “malicious” or “insecure” – they’re just data.

Some serialization protocols, eg pickling, can potentially be insecure because they can contain code, so could possibly be deserialized to run something that harms your system. Serialized models don’t have that problem, because they don’t contain code.

Of course, if you were using JSON to (for example) pass a list of model IDs to be deleted, then there is the potential for a malicious user to include a whole load of IDs you don’t want deleted. But again this isn’t the fault of JSON – it’s up to you to ensure that your business logic correctly determines which elements a user is allowed to delete or modify.

Leave a comment