Class Allowlist Bypass

Hard+200 XPA08:2021 Software and Data Integrity FailuresCWE-502

DeserializationClass InjectionRCE

Scenario

Your configuration loader parses a JSON string and returns the resulting map for use at runtime.

The buggy implementation does not check whether the parsed object contains a `__class__` key. An attacker supplies `{"__class__":"os.system","args":"id"}` to trigger object instantiation and gain remote code execution.

The fix must inspect the parsed map and throw `'Disallowed class'` if a `__class__` key is present, accepting only plain data objects.

Insecure deserialization that allows class or type injection has led to critical RCE vulnerabilities in frameworks across every major language. A simple key-presence check prevents the entire attack surface.

Your Tasks

Parse `data` as a JSON string and obtain a map/dict.
If the map contains the key `__class__`, throw an exception with the message `'Disallowed class'`.
Return the parsed map as-is for any input that does not include `__class__`.

Examples

Example 1 — Exploit — class key triggers object injection

loadConfig('{"__class__":"os.system","args":"rm -rf /"}')
// BUG returns the map — attacker payload accepted
// FIX throws: 'Disallowed class'

Example 2 — Safe — plain config object

loadConfig('{"host":"localhost","port":5432}')
// returns: {host: 'localhost', port: 5432}

Constraints

›Throw exactly `'Disallowed class'` when `__class__` appears in the top-level keys.
›Do not use `pickle`, `Marshal.load`, or any native deserialization primitive — parse JSON only.
›Plain data objects without `__class__` must be returned unchanged.

Hint

References

https://owasp.org/www-project-top-ten/2021/A08_2021-Software_and_Data_Integrity_Failures https://cwe.mitre.org/data/definitions/502.html https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html

solution.py

Ln 1, Col 1│UTF-8│Python

Sandbox ready

0/0/0not run