Deserialization of untrusted data using cPickle
Description
The application uses `cPickle` which is vulnerable to deserialization attacks. Deserialization attacks exploit the process of reading serialized data and turning it back into an object. By constructing malicious objects and serializing them, an adversary may attempt to inject code that is executed upon object construction or exploit mass assignment.
Examples
Insecure Code
python
import cPickle; cPickle.loads('...')Secure Code
python
import json; json.loads('...', object_hook=lambda d: {'name': d['name']})Remediation
Consider safer alternatives such as serializing data in the JSON format. Ensure any format chosen allows the application to specify exactly which object types are allowed to be deserialized. Use an intermediary type that can be serialized with only the necessary fields exposed and validated against a schema to protect against mass assignment.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0135 |
| Category | Deserialization |
| Severity | HIGH |
| CWE | CWE-502 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | deserialization, insecure deserialization |
| OWASP | A8:2017-Insecure Deserialization, A08:2021-Software and Data Integrity Failures |