Deserialization of Untrusted Data

  package main
  
  import (
-     "encoding/gob"
-     "net/http"
- )
- 
- func handler(w http.ResponseWriter, r *http.Request) {
-     // Vulnerable: gob decoding untrusted HTTP body
-     dec := gob.NewDecoder(r.Body)
-     var data interface{}
-     if err := dec.Decode(&data); err != nil {
-         http.Error(w, err.Error(), 400)
+     "encoding/json"
+     "net/http"
+ )
+ 
+ type UserRequest struct {
+     Name  string `json:"name"`
+     Email string `json:"email"`
+ }
+ 
+ func handler(w http.ResponseWriter, r *http.Request) {
+     // Safe: typed struct with JSON (data-only, no code execution)
+     var req UserRequest
+     dec := json.NewDecoder(r.Body)
+     dec.DisallowUnknownFields()
+     if err := dec.Decode(&req); err != nil {
+         http.Error(w, "Invalid request", 400)
          return
      }
  }
  

  func indexHandler(w http.ResponseWriter, r *http.Request) {
      var docs []Document
      json.NewDecoder(r.Body).Decode(&docs)
+ 
+     validate := validator.New()
+     for _, doc := range docs {
+         if err := validate.Struct(doc); err != nil {
+             http.Error(w, "validation failed", http.StatusBadRequest)
+             return
+         }
+         if flagged, _ := moderationCheck(doc.Content); flagged {
+             http.Error(w, "content policy violation", http.StatusBadRequest)
+             return
+         }
+     }
      vectorDB.Upsert(docs)
  }
  

  app.post('/finetune', async (req, res) => {
-   await openai.files.create({
-     file: req.body.trainingData,
+   const validated = trainingSchema.parse(req.body.trainingData);
+   const moderated = await moderateContent(validated);
+   await openai.files.create({
+     file: moderated,
      purpose: 'fine-tune'
    });
  });
  

  const express = require('express');
- const serialize = require('node-serialize');
- const app = express();
- 
- app.post('/restore', (req, res) => {
-   const sessionData = req.body.session;
-   const session = serialize.deserialize(sessionData);
-   req.session = session;
-   res.json({ restored: true });
+ const app = express();
+ 
+ app.post('/restore', (req, res) => {
+   try {
+     const session = JSON.parse(req.body.session);
+     req.session = session;
+     res.json({ restored: true });
+   } catch (e) {
+     res.status(400).json({ error: 'Invalid session data' });
+   }
  });
  

- @app.route('/finetune', methods=['POST'])
- def finetune():
-     training_data = request.json['data']
-     client.files.create(file=training_data, purpose='fine-tune')
+ from pydantic import BaseModel, validator
+ 
+ class TrainingExample(BaseModel):
+     prompt: str
+     completion: str
+ 
+     @validator('prompt', 'completion')
+     def validate_length(cls, v):
+         if len(v) > 4000:
+             raise ValueError('Content too long')
+         return v
+ 
+ @app.route('/finetune', methods=['POST'])
+ async def finetune():
+     examples = [TrainingExample(**ex) for ex in request.json['data']]
+     moderation = await openai.moderations.create(
+         input=[ex.completion for ex in examples]
+     )
+     if any(r.flagged for r in moderation.results):
+         return {'error': 'Content policy violation'}, 400
+     client.files.create(file=json.dumps([ex.dict() for ex in examples]), purpose='fine-tune')
      return {'status': 'queued'}
  

- import pickle
- from flask import request
- 
- @app.route('/load', methods=['POST'])
- def load():
-     data = request.get_data()
-     obj = pickle.loads(data)
+ import json
+ from flask import request
+ 
+ @app.route('/load', methods=['POST'])
+ def load():
+     data = request.get_data()
+     obj = json.loads(data)
      return str(obj)
  

  import yaml
  
  def parse_config(yaml_string):
-     config = yaml.load(yaml_string)
+     config = yaml.safe_load(yaml_string)
      return config