Deserialization of untrusted data using dill
Description
The application uses `dill` which is vulnerable to deserialization attacks. Deserialization attacks exploit the process of reading serialized data and turning it back into an object. By constructing malicious objects and serializing them, an adversary may attempt to inject code that is executed upon object construction or exploit mass assignment.
Examples
Insecure Code
python
import dill; dill.loads(b'R\x80\x03cdill.dill\x90.', fix_imports=True, ignore=True)Secure Code
python
import json; user_object = json.loads('{"name": "test user"}'); user_object['is_admin'] = FalseRemediation
Consider safer alternatives such as serializing data in the JSON format. Ensure any format chosen allows the application to specify exactly which object types are allowed to be deserialized. To protect against mass assignment, only allow deserialization of the specific fields that are required.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0136 |
| Category | Deserialization |
| Severity | HIGH |
| CWE | CWE-502 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | deserialization, insecure deserialization |
| OWASP | A8:2017-Insecure Deserialization, A08:2021-Software and Data Integrity Failures |