Deserialization of Untrusted Data
Description
User controlled data in 'yaml.load()' function can result in Remote Code Injection.
Examples
Insecure Code
javascript
const yaml = require('js-yaml'); yaml.load(userInput);Secure Code
javascript
const yaml = require('js-yaml'); const safeInput = validateUserInput(userInput); yaml.load(safeInput);Remediation
Use a safe deserialization method or validate user input before passing it to the 'yaml.load()' function.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0386 |
| Category | Deserialization |
| Severity | CRITICAL |
| CWE | CWE-502 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | insecure deserialization, remote code injection |
| OWASP | A8:2017-Insecure Deserialization, A08:2021-Software and Data Integrity Failures |