Deserialization of user-controlled data¶
ID: js/unsafe-deserializationKind: path-problemSecurity severity: 9.8Severity: warningPrecision: highTags: - security - external/cwe/cwe-502Query suites: - javascript-code-scanning.qls - javascript-security-extended.qls - javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
Deserializing untrusted data using any deserialization framework that allows the construction of arbitrary functions is easily exploitable and, in many cases, allows an attacker to execute arbitrary code.
Recommendation¶
Avoid deserialization of untrusted data if at all possible. If the architecture permits it, then use formats like JSON or XML that cannot represent functions. When using YAML or other formats that support the serialization and deserialization of functions, ensure that the parser is configured to disable deserialization of arbitrary functions.
Example¶
The following example calls theload function of the popularjs-yaml package on data that comes from an HTTP request and hence is inherently unsafe.
constapp=require("express")(),jsyaml=require("js-yaml");app.get("load",function(req,res){letdata=jsyaml.load(req.params.data);// ...});
Using thesafeLoad function instead (which does not deserialize YAML-encoded functions) removes the vulnerability.
constapp=require("express")(),jsyaml=require("js-yaml");app.get("load",function(req,res){letdata=jsyaml.safeLoad(req.params.data);// ...});
References¶
OWASP vulnerability description:Deserialization of untrusted data.
OWASP guidance on deserializing objects:Deserialization Cheat Sheet.
Neal Poole:Code Execution via YAML in JS-YAML Node.js Module.
Common Weakness Enumeration:CWE-502.