Deserialization of untrusted data using pickle
Description
The application uses `pickle` which is vulnerable to deserialization attacks. Deserialization attacks exploit the process of reading serialized data and turning it back into an object. By constructing malicious objects and serializing them, an adversary may attempt to inject code that is executed upon object construction or exploit mass assignment.
Examples
Insecure Code
python
pickle.load(...)Secure Code
python
import json
import jsonschema
intermediary_schema = {"type" : "object", "properties" : {"name": {"type" : "string"}}, "required": ["name"], "additionalProperties": False}
try:
jsonschema.validate(instance={'name': 'test user'}, schema=intermediary_schema)
user_object = {'user': {'name': 'test user', 'is_admin': False}}
except jsonschema.exceptions.ValidationError as ex:
# Handle validation errorsRemediation
Consider safer alternatives such as serializing data in the JSON format. Ensure any format chosen allows the application to specify exactly which object types are allowed to be deserialized. To protect against mass assignment, only allow deserialization of the specific fields that are required.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0138 |
| Category | Deserialization |
| Severity | HIGH |
| CWE | CWE-502 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | deserialization, pickle |
| OWASP | A8:2017-Insecure Deserialization, A08:2021-Software and Data Integrity Failures |