Deserialization of user-controlled data¶
ID: java/unsafe-deserializationKind: path-problemSecurity severity: 9.8Severity: errorPrecision: highTags: - security - external/cwe/cwe-502Query suites: - java-code-scanning.qls - java-security-extended.qls - java-security-and-quality.qls
Click to see the query in the CodeQL repository
Deserializing untrusted data using any deserialization framework that allows the construction of arbitrary serializable objects is easily exploitable and in many cases allows an attacker to execute arbitrary code. Even before a deserialized object is returned to the caller of a deserialization method a lot of code may have been executed, including static initializers, constructors, and finalizers. Automatic deserialization of fields means that an attacker may craft a nested combination of objects on which the executed initialization code may have unforeseen effects, such as the execution of arbitrary code.
There are many different serialization frameworks. This query currently supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap, Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization throughObjectInputStream/ObjectOutputStream.
Recommendation¶
Avoid deserialization of untrusted data if at all possible. If the architecture permits it then use other formats instead of serialized objects, for example JSON or XML. However, these formats should not be deserialized into complex objects because this provides further opportunities for attack. For example, XML-based deserialization attacks are possible through libraries such as XStream and XmlDecoder.
Alternatively, a tightly controlled whitelist can limit the vulnerability of code, but be aware of the existence of so-called Bypass Gadgets, which can circumvent such protection measures.
Recommendations specific to particular frameworks supported by this query:
FastJson -com.alibaba:fastjson
Secure by Default: Partially
Recommendation: Call
com.alibaba.fastjson.parser.ParserConfig#setSafeModewith the argumenttruebefore deserializing untrusted data.
FasterXML -com.fasterxml.jackson.core:jackson-databind
Secure by Default: Yes
Recommendation: Don’t call
com.fasterxml.jackson.databind.ObjectMapper#enableDefaultTypingand don’t annotate any object fields withcom.fasterxml.jackson.annotation.JsonTypeInfopassing either theCLASSorMINIMAL_CLASSvalues to the annotation. Readthis guide.
Kryo -com.esotericsoftware:kryo andcom.esotericsoftware:kryo5
Secure by Default: Yes for
com.esotericsoftware:kryo5and forcom.esotericsoftware:kryo>= v5.0.0Recommendation: Don’t call
com.esotericsoftware.kryo(5).Kryo#setRegistrationRequiredwith the argumentfalseon anyKryoinstance that may deserialize untrusted data.
ObjectInputStream -JavaStandardLibrary
Secure by Default: No
Recommendation: Use a validating input stream, such as
org.apache.commons.io.serialization.ValidatingObjectInputStream.
SnakeYAML -org.yaml:snakeyaml
Secure by Default: As of version 2.0.
Recommendation: For versions before 2.0, pass an instance of
org.yaml.snakeyaml.constructor.SafeConstructortoorg.yaml.snakeyaml.Yaml’s constructor before using it to deserialize untrusted data.
XML Decoder -StandardJavaLibrary
Secure by Default: No
Recommendation: Do not use with untrusted user input.
ObjectMesssage -JavaEE/JakartaEE
Secure by Default: Depends on the JMS implementation.
Recommendation: Do not use with untrusted user input.
Example¶
The following example callsreadObject directly on anObjectInputStream that is constructed from untrusted data, and is therefore inherently unsafe.
publicMyObject{publicintfield;MyObject(intfield){this.field=field;}}publicMyObjectdeserialize(Socketsock){try(ObjectInputStreamin=newObjectInputStream(sock.getInputStream())){return(MyObject)in.readObject();// BAD: in is from untrusted source}}
Rewriting the communication protocol to only rely on reading primitive types from the input stream removes the vulnerability.
publicMyObjectdeserialize(Socketsock){try(DataInputStreamin=newDataInputStream(sock.getInputStream())){returnnewMyObject(in.readInt());// GOOD: read only an int}}
References¶
OWASP vulnerability description:Deserialization of untrusted data.
OWASP guidance on deserializing objects:Deserialization Cheat Sheet.
Talks by Chris Frohoff & Gabriel Lawrence: AppSecCali 2015: Marshalling Pickles - how deserializing objects will ruin your day,OWASP SD: Deserialize My Shorts: Or How I Learned to Start Worrying and Hate Java Object Deserialization.
Alvaro Muñoz & Christian Schneider, RSAConference 2016:Serial Killer: Silently Pwning Your Java Endpoints.
SnakeYaml documentation on deserialization:SnakeYaml deserialization (not updated for new behaviour in version 2.0).
Hessian deserialization and related gadget chains:Hessian deserialization.
Castor and Hessian java deserialization vulnerabilities:Castor and Hessian deserialization.
Remote code execution in JYaml library:JYaml deserialization.
JsonIO deserialization vulnerabilities:JsonIO deserialization.
Research by Moritz Bechler:Java Unmarshaller Security - Turning your data into code execution
Blog posts by the developer of Jackson libraries:On Jackson CVEs: Don’t Panic — Here is what you need to knowJackson 2.10: Safe Default Typing
Jabsorb documentation on deserialization:Jabsorb JSON Serializer.
Jodd JSON documentation on deserialization:JoddJson Parser.
RCE in Flexjson:Flexjson deserialization.
Android Intent deserialization vulnerabilities with GSON parser:Insecure use of JSON parsers.
Research by Matthias Kaiser:Pwning Your Java Messaging With Deserialization Vulnerabilities.
Common Weakness Enumeration:CWE-502.