Support injecting special characters currently blocked by Serde #2
Description
Version: Initial Release
Description:
The current Rust implementation leverages Serde for serialization. Serde will deny any attempt to serialize characters that are not supported by the JSON specification: https://github.com/serde-rs/json/blob/master/src/read.rs#L787. This is great data validation on Serde's part, but it inhibits this tool's ability to conduct certain tests. In order to emulate attacker behavior, a workflow needs to be established where this tool can create malicious manifests with those special characters.
This issue could be solved a number of ways. One approach would be to manipulate manifests after their creation but prior to the signature being applied. This approach may have the advantage of allowing more types of manipulation beyond just this issue. Another option could be to use a serialization library that doesn't include this validation step. This bug is to track the high-level requirement to solve this problem.
Expected result:
This tool should be able to generate manifests with any character injected into it.
Actual result:
This tool is currently limited by an allow list implementation with the serialization library.