id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
33287	eval() in geojson serializer (hardening)	David Wyde	Maxim Piskunov	"In Django 3.2.9, there is a call to eval() in django/contrib/gis/serializers/geojson.py:


{{{
  6 class Serializer(JSONSerializer):
 38     def get_dump_object(self, obj):
 53             data[""geometry""] = eval(self._geometry.geojson)
}}}

Given an app/models.py of

{{{
from django.db import models

class Model(models.Model):
    value = models.Field()
}}}

and a demo.py of

{{{
from django.core import serializers
from app.models import Model

class Geo:
    def __init__(self):
        self.srid = 4326
        self.geojson = '__import__(""os"").system(""ls -l"")'

geo = Geo()
m = Model(value=geo)
serializers.serialize('geojson', [m], geometry_field='value')
}}}

`python3 manage.py shell <demo.py` runs `ls -l`.

The above code requires that django.contrib.gis is in INSTALLED_APPS
and `apt install gdal-bin` was run on Ubuntu 20.04.

I've been told by the Django security team that this won't be exploited through normal use of the geojson serializer, so this is a hardening issue that can be tracked in Trac."	Cleanup/optimization	closed	GIS	3.2	Normal	fixed			Ready for checkin	1	0	0	0	0	0