Skip to content

Security Policy

Security Philosophy

datason prioritizes security alongside performance when handling Python object serialization. This document outlines our security practices, potential risks, and recommended usage patterns.

Security Status

FULLY SECURED - datason has comprehensive protection against all known attack vectors with 100% security test coverage.

Last Security Audit: 2025-01-08
Security Test Coverage: ✅ 28/28 security tests passing (100% success rate)
White Hat Testing: ✅ All attack vectors blocked and handled safely
Continuous Security Testing: ✅ Automated regression testing in place
Dependencies: ✅ All patched to latest secure versions

Recent Critical Security Fixes (v0.3.2): - ✅ Depth Bomb Protection: Fixed default max_depth from 1000→50, all depth attacks blocked - ✅ Size Bomb Protection: Reduced size limits from 10M→100K, all size attacks blocked
- ✅ Circular Reference Safety: Enhanced detection and graceful handling with warnings - ✅ String Bomb Protection: Proper length limits and truncation with warnings - ✅ Cache Pollution Prevention: Type and string cache limits enforced - ✅ Type Bypass Prevention: Mock object and IO object detection working - ✅ Resource Exhaustion Protection: CPU and memory limits properly enforced - ✅ Homogeneity Bypass Prevention: Optimization paths cannot bypass security - ✅ Parallel Attack Protection: Thread-safe operations with cache limits

Supported Versions

Version Supported Security Features
0.3.2 Current FULL PROTECTION - All 28 security tests passing
0.1.x ⚠️ Legacy Partial protection - upgrade recommended

🛡️ Comprehensive Security Test Suite

White Hat Security Testing - 100% Coverage

Real Protection: We continuously test against 9 categories of security attacks with 28 comprehensive test cases.

# Run the complete security test suite
python -m pytest tests/security/test_security_attack_vectors.py -v

# All 28 tests should pass:
# ✅ 5 Depth Bomb Attack tests
# ✅ 4 Size Bomb Attack tests  
# ✅ 4 Circular Reference Attack tests
# ✅ 3 String Bomb Attack tests
# ✅ 2 Cache Pollution Attack tests
# ✅ 3 Type Bypass Attack tests
# ✅ 2 Resource Exhaustion Attack tests
# ✅ 3 Homogeneity Bypass Attack tests
# ✅ 2 Parallel/Concurrent Attack tests

1. Depth Bomb Attack Protection5/5 TESTS PASSING

Real Protection: Prevents stack overflow through deeply nested structures.

import datason

# These attacks are now BLOCKED with SecurityError:
deep_dict_attack = {}
current = deep_dict_attack
for i in range(1005):  # Way over limit of 50
    current["nest"] = {}
    current = current["nest"]

try:
    datason.serialize(deep_dict_attack)
except datason.SecurityError as e:
    print(f"✅ BLOCKED: {e}")
    # Output: "Maximum serialization depth (51) exceeded limit (50)"

Tests Cover: - ✅ Nested dictionary bombs (1000+ levels) - ✅ Nested list bombs (1000+ levels) - ✅ Mixed structure attacks (dict/list combinations) - ✅ Homogeneous bypass attempts - ✅ Restrictive configuration compliance

2. Size Bomb Attack Protection4/4 TESTS PASSING

Real Protection: Prevents memory exhaustion through massive data structures.

# These attacks are now BLOCKED with SecurityError:
massive_dict = {f"key_{i}": i for i in range(200_000)}  # > 100K limit
massive_list = [f"item_{i}" for i in range(200_000)]   # > 100K limit

try:
    datason.serialize(massive_dict)
except datason.SecurityError as e:
    print(f"✅ BLOCKED: {e}")
    # Output: "Dictionary size (200000) exceeds maximum allowed size (100000)"

Security Limits (Enhanced): - Max Object Size: 100,000 items (reduced from 10M for enhanced security) - Max Recursion Depth: 50 levels (reduced from 1000) - Max String Length: 1,000,000 characters (truncated with warning)

Tests Cover: - ✅ Large dictionary attacks (10M+ items) - ✅ Large list attacks (10M+ items)
- ✅ Nested large structure attacks - ✅ Custom size limit compliance

3. Circular Reference Attack Protection4/4 TESTS PASSING

Real Protection: Detects and safely handles circular references with warnings.

# These attacks are now SAFELY HANDLED with warnings:
circular_dict = {}
circular_dict["self"] = circular_dict

with warnings.catch_warnings(record=True) as w:
    result = datason.serialize(circular_dict)
    print(f"✅ SAFE: {w[0].message}")
    print(f"Result: {result}")
    # Output: "Circular reference detected at depth 1. Replacing with None..."
    # Result: {"self": None}

Tests Cover: - ✅ Direct circular references (dict["self"] = dict) - ✅ Indirect circular references (multi-object chains) - ✅ Circular references in lists - ✅ Complex multi-path circular structures

4. String Bomb Attack Protection3/3 TESTS PASSING

Real Protection: Limits string length and provides safe truncation.

# These attacks trigger safe truncation with warnings:
massive_string = "A" * 1_000_001  # Over 1M limit

with warnings.catch_warnings(record=True) as w:
    result = datason.serialize(massive_string)
    print(f"✅ TRUNCATED: {w[0].message}")
    print(f"Ends with: {result[-20:]}")
    # Output: "String length (1000001) exceeds maximum (1000000). Truncating."
    # Result: "AAAA...AAAA...[TRUNCATED]"

Tests Cover: - ✅ Massive single string attacks (1M+ characters) - ✅ Many long string attacks (multiple large strings) - ✅ Nested string bomb attacks (deep structure + large strings)

5. Cache Pollution Attack Protection2/2 TESTS PASSING

Real Protection: Limits cache growth to prevent memory leaks.

# These attacks are contained by cache limits:
from datason.core import _TYPE_CACHE, _TYPE_CACHE_SIZE_LIMIT

# Create many unique types to try to exhaust cache
for i in range(1000):
    class DynamicType:
        def __init__(self):
            self.value = i
    obj = DynamicType()
    datason.serialize(obj)

# Cache size is properly limited
assert len(_TYPE_CACHE) <= _TYPE_CACHE_SIZE_LIMIT  # ✅ PROTECTED

Tests Cover: - ✅ Type cache pollution (many unique types) - ✅ String cache pollution (many unique strings)

6. Type Bypass Attack Protection3/3 TESTS PASSING

Real Protection: Detects and safely handles problematic objects.

from unittest.mock import Mock
import io

# These problematic objects are safely handled:
mock_obj = Mock()
mock_obj.configure_mock(**{f"attr_{i}": "value" for i in range(200)})

io_obj = io.BytesIO(b"attack_data" * 1000)

with warnings.catch_warnings(record=True) as w:
    result1 = datason.serialize(mock_obj)  # ✅ DETECTED: "mock object"
    result2 = datason.serialize(io_obj)    # ✅ DETECTED: "problematic io object"

Tests Cover: - ✅ Mock object bypass attempts - ✅ IO object bypass attempts
- ✅ Complex object dictionary attacks

7. Resource Exhaustion Attack Protection2/2 TESTS PASSING

Real Protection: Prevents CPU and memory exhaustion.

# These expensive operations complete safely:
complex_data = {}
for i in range(100):
    level = {}
    for j in range(100):
        level[f"key_{j}"] = {"data": list(range(100)), "meta": {"id": j}}
    complex_data[f"level_{i}"] = level

import time
start = time.time()
result = datason.serialize(complex_data)  # ✅ COMPLETES SAFELY
end = time.time()
assert end - start < 30  # Within reasonable time limits

Tests Cover: - ✅ CPU exhaustion through complex nesting - ✅ Memory exhaustion prevention

8. Homogeneity Bypass Attack Protection3/3 TESTS PASSING

Real Protection: Optimization paths cannot bypass security checks.

# These attempts to bypass security through optimization paths FAIL:
homogeneous_attack = {}
current = homogeneous_attack
for i in range(1005):  # Try to look "homogeneous" to bypass checks
    current["attack"] = {}  # All identical - appears homogeneous
    current = current["attack"]

try:
    datason.serialize(homogeneous_attack)
except datason.SecurityError as e:
    print(f"✅ BYPASS BLOCKED: {e}")
    # Output: "Maximum serialization depth exceeded"

Tests Cover: - ✅ Homogeneous depth bomb attempts - ✅ JSON compatibility bypass attempts - ✅ Optimization path exploitation attempts

9. Parallel/Concurrent Attack Protection2/2 TESTS PASSING

Real Protection: Thread-safe operations with proper cache limits.

import threading
from concurrent.futures import ThreadPoolExecutor

# These concurrent attacks are safely handled:
def concurrent_serialize(data_id):
    data = {"id": data_id, "nested": {"level1": {"data": [1, 2, 3]}}}
    return datason.serialize(data)

with ThreadPoolExecutor(max_workers=10) as executor:
    futures = [executor.submit(concurrent_serialize, i) for i in range(50)]
    results = [f.result() for f in futures]

assert len(results) == 50  # ✅ ALL COMPLETE SAFELY
assert all(isinstance(r, dict) for r in results)  # ✅ ALL VALID

Tests Cover: - ✅ Concurrent cache pollution attacks - ✅ Concurrent serialization safety

🔍 Continuous Security Testing

Automated Security Regression Testing

# Security tests run automatically in CI/CD
python -m pytest tests/security/ --timeout=30 -v

# Expected output: 28 passed in <30s
# Any hanging or infinite loops are caught by timeout

Security Monitoring in Production

import warnings
import logging

# Set up security monitoring
logging.basicConfig(level=logging.WARNING)
logger = logging.getLogger("datason.security")

# Capture security warnings in production
with warnings.catch_warnings(record=True) as w:
    result = datason.serialize(untrusted_data)
    if w:
        for warning in w:
            logger.warning(f"Security event: {warning.message}")

Performance Impact of Security

  • Minimal overhead: Security checks add <5% performance impact
  • Early detection: Most attacks blocked at initial validation
  • Graceful handling: Safe fallbacks instead of crashes
  • Production ready: All limits tuned for real-world usage

�� Reporting Security Issues

Please DO NOT report security vulnerabilities through public GitHub issues.

Preferred: Security Advisory

  1. Go to https://github.com/danielendler/datason/security/advisories
  2. Click "Report a vulnerability"
  3. Provide details including reproduction steps

Alternative: Email

📧 security@datason.dev

Include in your report: - Description and impact assessment - Minimal reproduction example - Your environment details - Suggested fix (if you have one)

Response Timeline

Timeframe Our Commitment
24 hours Acknowledgment
72 hours Initial assessment
1 week Investigation complete
2 weeks Fix deployed (if valid)

🔒 Production Security Best Practices

Environment Setup

# Install with security scanning
pip install datason[dev]
bandit -r your_project/
safety scan

# Run security tests
python -m pytest tests/security/ -v

Secure Usage Patterns

import datason

# ✅ GOOD: Handle untrusted data safely
try:
    result = datason.serialize(untrusted_data)
except datason.SecurityError as e:
    logger.warning(f"Blocked potentially malicious data: {e}")
    return None

# ✅ GOOD: Monitor for security warnings in production
import warnings
with warnings.catch_warnings(record=True) as w:
    result = datason.serialize(data)
    if w:
        logger.info(f"Security warnings: {[str(warning.message) for warning in w]}")

# ✅ GOOD: Test with your own security scenarios
def test_my_security_scenario():
    # Your specific attack vector
    attack_data = create_potential_attack()

    # Should either complete safely or raise SecurityError
    try:
        result = datason.serialize(attack_data)
        assert_safe_result(result)
    except datason.SecurityError:
        pass  # Expected for attack data

# ❌ AVOID: Don't serialize sensitive data
sensitive_data = {"password": "secret", "api_key": "12345"}
# Filter before serializing
safe_data = {k: v for k, v in data.items() if k not in ["password", "api_key"]}
result = datason.serialize(safe_data)

# .github/workflows/security.yml
- name: Security Test Suite
  run: |
    python -m pytest tests/security/ --timeout=30 -v
    # All 28 security tests must pass

- name: Security Scan
  run: |
    pip install bandit safety
    bandit -r datason/
    safety scan

- name: Dependency Audit  
  run: pip-audit

📋 Security Configuration

Current Security Limits ⚠️ ENHANCED FOR MAXIMUM PROTECTION

from datason.core import MAX_SERIALIZATION_DEPTH, MAX_OBJECT_SIZE, MAX_STRING_LENGTH

print(f"Max depth: {MAX_SERIALIZATION_DEPTH}")      # 50 (reduced from 1000)
print(f"Max object size: {MAX_OBJECT_SIZE}")        # 100,000 (reduced from 10M)  
print(f"Max string length: {MAX_STRING_LENGTH}")    # 1,000,000

🔍 Security Validation Results

Comprehensive Security Audit - ✅ 100% PASS RATE

White Hat Testing Results: - ✅ 28/28 security attack tests passing - ✅ All 9 attack categories fully protected - ✅ No hanging or infinite loop vulnerabilities - ✅ All resource exhaustion attacks blocked - ✅ Thread-safe concurrent operations - ✅ Graceful error handling with security warnings

Bandit Security Scan - ✅ PASSED

loc: 2,280 lines of code scanned
SEVERITY.HIGH: 0
SEVERITY.MEDIUM: 0  
SEVERITY.LOW: 0

Dependency Vulnerabilities - ✅ RESOLVED

Recent Actions: - ✅ Updated jinja2 from 3.1.4 → 3.1.6 (fixed 3 CVEs) - ✅ Updated setuptools from 70.2.0 → 80.9.0 (fixed path traversal CVE)

Dependency Strategy: - Core datason has zero dependencies for security - Optional dependencies (pandas, numpy, ML libraries) use lazy loading - All dev dependencies regularly updated and scanned

Real-World Attack Prevention - ✅ COMPREHENSIVE PROTECTION

Attack Vector Protection Test Coverage Status
Depth Bomb Attacks 50-level limit + SecurityError 5 tests FULLY PROTECTED
Size Bomb Attacks 100K item limit + SecurityError 4 tests FULLY PROTECTED
Circular Reference DoS Detection + safe handling + warnings 4 tests FULLY PROTECTED
String Bomb Attacks 1M char limit + truncation + warnings 3 tests FULLY PROTECTED
Cache Pollution Type & string cache limits 2 tests FULLY PROTECTED
Type Bypass Attacks Mock & IO object detection + warnings 3 tests FULLY PROTECTED
Resource Exhaustion CPU & memory limits + timeouts 2 tests FULLY PROTECTED
Homogeneity Bypass Security checks in all optimization paths 3 tests FULLY PROTECTED
Parallel Attacks Thread-safe operations + cache limits 2 tests FULLY PROTECTED

🏆 Security Achievements

  • 28/28 security tests passing (100% success rate)
  • Zero critical vulnerabilities in current release
  • Comprehensive white hat testing with all attack vectors covered
  • Proactive security design with built-in protections
  • Continuous security testing with automated regression prevention
  • Production-ready security with minimal performance impact
  • Enhanced security limits for maximum protection
  • Complete attack vector coverage from depth bombs to parallel attacks

📚 Security Resources

🛡️ Security is a continuous process. We maintain the highest security standards through comprehensive testing, proactive protection, and continuous monitoring.

✅ CURRENT STATUS: FULLY SECURED - All known attack vectors are blocked, detected, and safely handled. Our comprehensive security test suite ensures continued protection against emerging threats.