Deserialization of untrusted data using shelve
Description
The application uses `shelve` which is vulnerable to deserialization attacks as it calls `pickle` internally. Deserialization attacks exploit the process of reading serialized data and turning it back into an object. By constructing malicious objects and serializing them, an adversary may attempt to inject code that is executed upon object construction or exploit mass assignment.
Examples
Insecure Code
python
shelve.open('example.db')Secure Code
python
import json
with open('example.json') as f:
data = json.load(f)Remediation
Consider safer alternatives such as serializing data in the JSON format. Ensure any format chosen allows the application to specify exactly which object types are allowed to be deserialized. To protect against mass assignment, only allow deserialization of the specific fields that are required.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0139 |
| Category | Deserialization |
| Severity | HIGH |
| CWE | CWE-502 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | deserialization, pickle, shelve |
| OWASP | A8:2017-Insecure Deserialization, A08:2021-Software and Data Integrity Failures |