Pants uses a version of ujson that is susseptable to buffer overflow

[asherf]

https://nvd.nist.gov/vuln/detail/CVE-2021-45958
ujson is dependent upon via the seemingly unmaintained python-lsp-jsonrpc (added in #14329) - last commit in January 2022, but almost no commits in 2021.

Hopefully this can be closed when a patched version of ujson is published (it seems to be more active).

@tdyas @stuhood fyi

[tdyas]

I would be fine with us just vendoring python-lsp-jsonrpc and removing the ujson dependency.

Thoughts?

[tdyas]

Although given the usage is in the BSP server, an attacker would already have control of the system to be able to invoke Pants on the system (since the BSP server listens on stdin/stdout). So the attacker can already do whatever they want.

[asherf]

it looks like ujson has already addressed the issue: ultrajson/ultrajson#519
I suggest waiting a few days for them to make a release and then since there is no version constraint on python-lsp-jsonrpc wrt ujson see: https://github.com/python-lsp/python-lsp-jsonrpc/blob/1c97c6da4778252b4e49f03ee6aba778b7e7092e/setup.py#L41
re-generating the lock file will solve the issue.

I mostly opened this issue so we can track that.
I don't think vendoring/forking makes sense unless this doesn't solve in the next week or so.
I agree that in this context this is low risk.

[stuhood]

Now using 5.7.0