Deserialization of Untrusted Data
Description
Avoid using XMLDecoder to parse content from an untrusted source. Deserializing untrusted data can lead to security vulnerabilities.
Examples
Insecure Code
scala
val decoder = new java.beans.XMLDecoder(new FileInputStream("untrusted.xml"))Secure Code
scala
val json = Json.parse(new FileInputStream("trusted.json"))Remediation
Use a secure deserialization mechanism, such as JSON or a trusted XML parser, and validate the input data to prevent deserialization of untrusted content.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0080 |
| Category | Deserialization |
| Severity | HIGH |
| CWE | CWE-502 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | deserialization, untrusted data |
| OWASP | N/A |