Deserialization of Untrusted Data

Description

User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.

Examples

Insecure Code

javascript

const serialize = require('node-serialize'); serialize.unserialize(userInput);

Secure Code

javascript

const serialize = require('node-serialize'); const safeInput = validateUserInput(userInput); serialize.unserialize(safeInput);

Remediation

Validate and sanitize user input before passing it to the 'unserialize()' or 'deserialize()' function. Consider using a safer serialization format like JSON.

Rule Details

Field	Value
ID	CODE-0376
Category	Deserialization
Severity	CRITICAL
CWE	CWE-502
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	EASY
Tags	injection, deserialization
OWASP	A8:2017-Insecure Deserialization, A08:2021-Software and Data Integrity Failures

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Deserialization of Untrusted Data

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

Deserialization of Untrusted Data ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

Deserialization of Untrusted Data

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details