OSTIF is pleased to announce that another audit has reached publication! A security audit of simplejson’s source code was conducted in collaboration with X41. 

Found during the audit process were one medium and two low severity issues, as well as nine more informational issues. In addition, custom differential fuzzing harnesses were made to compare C and Python implementations of simplejson with differential fuzzing across simplejson and orjson to ascertain parsing discrepancies in the two libraries. 

X41’s work in the Python encoder/decoder supported previous security research in simplejson. A mature project like simpejson has many maintainers and contributors over its long life, yet there were still minor fissures in the code that were addressed and patched. The efforts provided by a skilled third-party reviewer can help mature projects further their security concerns and goals. 

We thank X41 for their continued work with OSTIF in helping open source projects navigate the complex security space. Also, thank you to Amazon Web Services for sponsoring this critically important work. 

Special thanks to Bob Ippolito of simplejson, whose collaboration and openness to working with us made the effort all the more impactful. 

“Many open source projects such as simplejson are developed by volunteers without funding, sponsorship, or dedicated security resources, yet they have become embedded in infrastructure where security is critical. The OSTIF funded security audit of simplejson performed by X41 D-Sec was thorough; it identified potential security issues (minor, in this case) and included several specific recommendations for security hardening that will help the project remain safe to use. Even as a solo maintainer, it was a breeze to work with OSTIF and X41 D-Sec. The entire engagement from their initial email to the release of simplejson v3.9.1 took less than a month, just a few emails and one meeting on my end before receiving the initial report. I’d highly recommend working with OSTIF to other open source maintainers, and if I was still a decision maker at a corporation I’d devote resources to sponsoring this important work!” 

– Bob Ippolito, simplejson 

The full audit report is here: https://ostif.org/wp-content/uploads/2023/04/X41-OSTIF-simplejson-audit-2023.pdf
X41 has a blog post about the project here with more details: https://www.x41-dsec.de/security/news/2023/04/26/simplejson/
More info from the simplejson github: https://github.com/simplejson/simplejson/pull/313
More info from Bob Ippolito, current simplejson lead maintainer: https://bob.ippoli.to/archives/2023/04/26/simplejson-audit/